The protected health information (PHI) of hundreds of thousands of heart patients may have been exposed during a cyber-attack on South Denver Cardiology Associates (SDCA).
In a recent privacy incident notice issued to its patients, the healthcare provider disclosed that its network had been breached in January 2022. The unknown perpetrator(s) gained access to files containing information on 287,652 patients during the attack.
SDCA said: “On January 4 2022, we identified unusual activity within our computer network. We immediately initiated our incident response process, which included taking steps to secure the network and shutting off select computer systems.
“We also began an investigation with the assistance of a computer forensic firm and notified law enforcement.”
Investigators determined that the files accessed in the attack contained patient information, which may have included patients’ names, dates of birth, Social Security numbers and/or drivers’ license numbers, patient account numbers, health insurance information and clinical information, such as physician names, dates and types of service and diagnoses.
SDCA said that the attack had not impacted the contents of patient medical records. The healthcare provider also said that the security incident did not involve unauthorized access to the patient portal.
“We have no indication that individuals’ information has been misused as a result of this incident,” said SDCA, “However, as a precaution, on March 4 2022, we began mailing letters to our patients, which include guidance on how patients can protect their information, as well as details on an offer of complimentary credit monitoring and identity protection services.”
James McQuiggan, a security awareness advocate at KnowBe4, commented: “Healthcare organizations are a prime target for criminal groups because of sensitive personal data kept in their systems,”
McQuiggan counseled all organizations, including healthcare providers, to reduce the risk of compromise by investing in their employees and providing an engaging cybersecurity training program that will help them spot social engineering scams, such as phishing emails.
“Organizations that suffer a data breach discover the costs to recover have a significant financial impact,” noted McQuiggan.
“In comparison, the costs to implement a security awareness training program for their employees are lower.”