More than 1 million St. Joseph's/Candler patients' and employees' personal information was exposed during a ransomware attack on the Savannah, Ga.-based health system in June.
St. Joseph's/Candler reported the breach to HHS Aug. 10 as affecting 1.4 million individuals.
The health system discovered "suspicious network activity" June 17 and shut down its IT systems. During the downtime, St. Joseph's/Candler switched to backup operation methods including paper documentation to limit the potential effects of the ransomware attack.
On Aug. 10, the health system announced that the hacker gained access to its network between Dec. 18, 2020, and June 17, 2021. While St. Joseph's/Candler did not cancel any surgeries or procedures because of the attack, the incident temporarily disrupted telephone communications and knocked computer systems offline, making certain files inaccessible.
On Aug. 18, St. Joseph's/Candler CEO and President Paul Hinchey told Savannah Morning News that the health system was "fully operational" and that "There are a few hotspots where we have to change out computers. But in terms of the hospital ... we're back electronically, which was a big sea change for us, because we went from a fully integrated system to a paper system, and we haven't done that in 25 years."
The health system began notifying patients in early August of the data breach and said that exposed information included names, Social Security numbers, addresses, patient account numbers, financial details and health insurance plan member ID numbers.
St. Joseph's/Candler is offering free credit monitoring services to affected individuals and said it has upgraded its technical security measures for monitoring its IT systems.