An Indiana hospital has had to write to 12,000 people after malware breached its security defences to compromise a server used to collect personal data from web forms.

The affected individuals were mostly people who might have applied for jobs at Goshen Hospital in recent years plus some outpatients. Information put at risk includes names, addresses, and social security numbers, the hospital has told local media.

The malware remains unidentified beyond it being described as “a relatively common virus that is malicious,” which suggests an infection that remained undetected for some time. Patient records are isolated from the Internet and were never at risk.

Affected individuals have been contacted by letter and asked to check their credit reports for possible identity fraud with the hospital picking up the tab for fraud monitoring checks for at least 12 months.

The incident marks the second US hospital to be adversely affected by malware in as many months, after Gwinnett Medical Center in Lawrenceville Georgia was forced to turn away admissions after its systems were disrupted by a mystery “virus”.

Around the same time in New Zealand, the St John’s Ambulance service had problems in the radio coordination system used between its control centre and ambulances after a very similar malware outbreak.  

Both of those incidents were more serious and involved operational disruption rather than static data breach. The commonest type of hospital data breach indecent the world over remains the lost USB stick.