SPRINGFIELD, Mass. (WWLP) – Patients of Trinity Health may have had their personal information stolen in a data breach earlier this year.

According to Mercy Medical Center Spokesperson Mary Orr, on January 20th hackers downloaded patient files that were hosted on a third-party vendor’s platform. These files contained health and personal information, including name, address, date of birth, healthcare provider, and medications. A very small number of patients may have had their social security or credit card numbers compromised as well.

Orr said they immediately launched an investigation into the data breach once they found out, and are working to further evaluate their data security policies and procedures.

Henry Santa, a patient at Mercy, told 22News he received a letter in the mail alerting him of the information breach, “My concern is that my name and all my information is out there and they might do something with it. And I’m very concerned. I’m very concerned because anybody can do damage if they get ahold of the information.”

Trinity Health is mailing more information to anyone who may have been involved in the data breach. They are also providing access to credit monitoring.

Trinity Health sent 22News the following statement:

Trinity Health was recently notified by Accellion, a third-party vendor, of a security incident impacting the large file transfer service. The Accellion File Transfer Appliance is used by Trinity Health and many other companies for large file transfers. Trinity Health provides information technology services for its current and some former member hospitals and health care providers, including email services. Information about Trinity Health and its current and some former locations can be found at. www.trinity-health.org and Location Results (trinity-health.org) and www.virtua.org

On January 29, 2021, Accellion informed Trinity Health of a security issue with its secure file transfer platform. Upon receiving this notice, Trinity Health immediately took the appliance offline and launched an investigation into the issue and its impact on both Trinity Health and our patients and colleagues. This investigation determined that certain files present on the appliance on January 20 were downloaded by an unknown user. The unauthorized user was able to take advantage of a previously unknown and unreported flaw in the security of the Accellion appliance.

Although the investigation is ongoing, on February 4, 2021, Trinity Health determined file(s) were present on the appliance at the time of this event. The files contained certain protected health information, including a combination of demographic, clinical and financial information such as your name, address, email, date of birth, healthcare provider, dates and types of health care services, medical record number, immunization type, lab results, medications, payment, payer name, and claims information. The confidential information of a very small number of impacted individuals included a social security number or credit card number.

Trinity Health takes these matters extremely seriously. When Trinity Health was alerted of the security issue Trinity Health immediately took steps to terminate access and use of the appliance and worked with Accellion to investigate the event. Trinity Health also confirmed the security of its network. Additionally, while Trinity Health goes to great lengths to protect patient and colleague information entrusted to it, as part of its ongoing commitment to the security of information in its care, Trinity Health is further evaluating its data security policies and procedures.

Trinity Health is mailing notice to those whose information may have been contained within the appliance at the time of this event. In that notice, Trinity Health is providing access to credit monitoring as well as guidance on how to protect against identity theft and fraud, should they feel it is necessary to do so. While Trinity Health is unaware of misuse of information, Trinity Health encourages those who may be impacted to remain vigilant against incidents of identity theft and fraud. Trinity Health also established a dedicated call center to assist those who may be impacted by this event. Those who may be impacted can also find additional information at Website Notice.

Trinity Health wants to assure those who may be impacted that Trinity Health takes the responsibility to safeguard protected health information very seriously. Trinity Health deeply regret any inconvenience or concern this situation may have caused you. If you have any additional questions or concerns, please do not hesitate to call (855) 935-6070 from 8:00 a.m. – 5:30 p.m. Central Time, Monday – Friday, or email THresponse@kroll.com