DANVILLE — A vendor associated with one of Geisinger’s billing contractors recently notified Geisinger patients of a data breach that compromised personal and protected health information.

Geisinger contracts with VisitPay for online billing services. On July 18, VisitPay notified Geisinger that Kaye-Smith, a marketing execution and supply chain vendor for VisitPay, was subject to a malware attack. Risk assessment revealed an impact on 2,857 Geisinger patients across the health system’s service area. Kaye-Smith began notifying patients on Sept. 16.

While there is no evidence that the information has been used for malicious purposes, the data that may have been viewed includes names, addresses, medical record numbers, member ID numbers, dates of service and payment installment plans. No sensitive financial information, such as social security numbers, bank account numbers, or credit card numbers, was exposed as part of the incident.

“The privacy of our patients and members is our highest priority, and we rigorously vet our vendors to protect that privacy,” said Jonathan Friesen, chief privacy officer at Geisinger. “There is no indication that information has been used to commit fraud, but Kaye-Smith is providing credit monitoring to patients who were affected. Even though we believe that the risk to our patients and members stemming from this incident is relatively low, we recommend that those who were affected take advantage of the credit monitoring offered by Kaye-Smith.”

Patients and members who received notification from Kaye-Smith should use the toll-free number provided in the letter if they have questions.