Saint Francis Health System said in a statement it was notified by email on September 7, 2016, about an unauthorized external access of a server, and patient information was obtained.
Saint Francis spokesperson Sevan Roberts said there was also an anonymous demand for payment to recover the information.
Roberts said after working with forensics investigators, they discovered the information taken from the server appears to be a list of about 6,000 names and addresses. She said Social Security numbers, driver's license and financial information are not included on the list.
The hospital disabled the server and discussed the situation with law enforcement and decided not to act on the demand for payment.
“Saint Francis decided not to act on the demand because payment does not guarantee or prevent data from being disclosed. The health system understands the importance of protecting our patients' information, and deeply regrets that this occurred,” the statement said.
Saint Francis said notification letters are being mailed to individuals who may have been affected and complimentary participation in “identity monitoring service” will be provided. Roberts said the hospital is working with federal authorities.