Hospital Hacker Steals Patients' Data

An unknown cyber-attacker has deleted data belonging to patients of a hospital in New Mexico. 

An unauthorized individual breached the IT network of San Juan Regional Medical Center in Farmington in September last year. The attack was reported to the United States Department of Health and Human Services' Office for Civil Rights on June 4 as a network server security incident impacting 68,792 individuals. 

In a statement released on October 7, the hospital said it had launched an investigation after identifying unauthorized access to its network on September 8, 2020.

The hospital said: "Upon learning of the issue, SJRMC immediately took steps to secure the network and mitigate against any additional harm. After an extensive forensic investigation, we determined that as part of this incident, an unauthorized individual removed information from our network September 7–8, 2020."

SJRMC undertook a manual review of the files that had been removed in the cyber-attack. The hospital discovered on July 13, 2021, that those files had contained "the personal and protected health information of certain patients."

The hospital said on October 7 that it is notifying the patients whose data was affected by the incident. Information compromised in the incident includes:

  • Names.
  • Dates of birth.
  • Social Security numbers.
  • Driver's license numbers.
  • Passport information.
  • Financial account numbers.
  • Health insurance information.
  • Medical information (diagnosis, treatment, medical record number, patient account number). 

"This incident does not impact all SJRMC patients, and not all information was impacted for all individuals. SJRMC is now notifying individuals so that they can take steps to protect their information," said the hospital.

SJRMC has not found any evidence to suggest that the compromised data has been misused. The hospital said that the attack did not involve ransomware. 

"Nevertheless, in addition to providing this website notice, SJRMC is sending notification to all affected patients for whom we have enough information to determine a physical address. We have also set up a dedicated call center," said the hospital.

Individuals whose Social Security numbers were in the files removed during the cyber-attack are being offered complimentary credit monitoring services.

What’s Hot on Infosecurity Magazine?