An unauthorized party gained entry into an an employee's email account at Saint Francis Ministries, accessing sensitive personal identifying information, as well as financial and protected health data.
In an online notification and corresponding press release, the Salina, Kan.-based non-profit organization said the actor accessed the account between Dec. 13 and 20 of 2019. Saint Francis first noticed the anomalous activity on Dec. 19, confirmed the illegal access on Feb. 12 and determined on March 24 that data belonging to multiple individuals was exposed.
Affected information includes social security numbers, birth dates, driver's licenses and state IDs, bank and financial account numbers, payment card numbers, treatment and diagnosis information, prescription information, provider names, medical record numbers and patient IDs, Medicare and Medicaid numbers, health insurance information, treatment cost information, and credentials (usernames and passwords).
SC Media contacted Saint Francis for clarification on whether the exposed data belongs to recipients of its services, employees of the organization, or both. Morgan Rothenberger, director of marketing and communications, replied, "We are still in the process of determining the relationships affected individuals have to Saint Francis Ministries. We will notify affected individuals on a rolling basis and as required by the applicable notification statutes. "
Saint Francis asserts that it is "unaware of any actual or attempted misuse of any personal or protected health information relating to this incident." The organization said that this week it will mail notices to impacted individuals, warning them to review account statements, credit reports and explanation of benefits forms for suspicious red flags, and to watch out for identity theft and fraud schemes. It will also offer recipients 12 months of free credit monitoring and/or identity theft restoration services.
"While we have security measures in place to protect information in our care, we are also taking steps to implement additional safeguards and review policies and procedures in order to protect the security of information on our systems," Saint Francis said in its online statement. "Specifically, Saint Francis immediately changed the credentials for the email account once it detected the suspicious behavior.
Saint Francis offers services related to adoption, foster care, behavioral health, migrant and refugee initiatives, and more. It has locations based in Arkansas, Kansas, Mississippi, Nebraska, Oklahoma, Texas and Central America.
