Johns Hopkins takes the protection and proper use of patient information very seriously. Regrettably, this notice concerns a cybersecurity incident that involved some of that information, and explains the circumstances of the incident, the measures we are taking in response, and offers steps patients may consider taking.
What Happened?
On May 31, 2023, Johns Hopkins was notified by a third-party software vendor, MOVEit, of a technical vulnerability in its software. We took immediate action, including disconnecting the Johns Hopkins server that utilizes the MOVEit software and engaging a third-party cybersecurity incident response team to assist with forensic analysis and ongoing monitoring. The investigation determined that an unauthorized party had gained access to the Johns Hopkins server that hosted the MOVEit software on May 29, 2023, and was able to download documents off of this server containing Johns Hopkins information. This cybersecurity incident also impacted many other providers and businesses nationally and internationally.
What Information Was Involved?
Johns Hopkins conducted a comprehensive review of the information downloaded, which determined that that some patients’ information was included. The information involved varied by individual but may have included one of more of the following: name, address, email address, phone number, guarantor information, general billing information, account number, date of birth, Social Security number, medical record number, health insurance information, information related to care received at Johns Hopkins, such as procedure information, location of service, treatment cost, diagnosis, medications, provider name, and/or date(s) of service.
The incident did not affect all Johns Hopkins patients, but only those whose information was included in the information downloaded. Additionally, Johns Hopkins’ electronic medical records are separate from the MOVEit server and were not impacted, nor was any information lost or deleted.
What We Are Doing
Johns Hopkins is committed to maintaining the privacy and security of our patients’ information and is taking this incident very seriously. We have been working with our business partners and law enforcement to mitigate this situation as best as possible.
Beginning on June 23, 2023, Johns Hopkins started mailing letters to patients whose information was identified through our review and for whom we have sufficient contact information. The letters include additional information on steps individuals can take to monitor and protect their personal information, as well as instructions for enrolling in two years of complimentary credit monitoring and resolution services through IDX’s MyIDCareTM Identity Protection. Patients who believe their information was involved but do not receive a letter by August 21, 2023 can contact IDX at (888) 703-9247 on weekdays between the hours of 9 am and 9 pm ET.
What You Can Do
As a precaution, we recommend patients monitor their accounts and watch for any suspicious activity. If you suspect or discover that your information has been used inappropriately, please notify your local law enforcement or consumer protection agency. For more information on additional steps you can take to protect your information, please visit www.HopkinsMedicine.org/DataAttack.
For More Information
If you have any additional questions, please do not hesitate to contact IDX at (888) 703-9247 on weekdays between the hours of 9 am and 9 pm ET.