637,000 Patients Impacted in UNM Health Data Breach


It has been confirmed that an unauthorized third party was able to access the network of UNM Health, possibly obtaining access to and downloading files that included patients’ protected health information (PHI) .

Following the initial identification of the breach on June 4 2021 and a review of the UNM Health databases was begun in order to ascertain the damage caused and the true extent of the breach. This investigation found that UNM Health databases had been infiltrated by an unauthorized third-party on May 2, 2021. This infiltration may have impacted files that included the protected health information of UNM clients – including those of UNM Hospital, UNM Medical Group, Inc., and UNM Sandoval Regional Medical Center Inc.

An in-depth audit of every file on the accessed sections of the network was completed and showed that this was where data such as names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, and some clinical information related to the healthcare services provided by UNM Health was being held.

Additionally, the Social Security information of a small number of patients may also have been impacted as part of the breach. However, UNM Health was in a position to confirm that its medical record systems had not been impacted as part of the cyber attack.

On August 3 2021, UNM Health began issuing breach notification letters to any individual who may have had the private information impacted in the breach. Along with this, free credit monitoring and identity theft protection services have been made available to any individual who believes that their Social Security number may have been exposed as part of the breach.

To date, UNM Health has not opted to share the precise nature of the cyber attack but it has confirmed that additional enhancements have been made in order to bolster security of its network and prevent attacks of this nature going forward. Additional training is also being conducted for its staff to boost their knowledge in relation to information security and how to spot cyber attacks.

It was revealed, in the official breach report filed to the the Department of Health and Human Services’ Office for Civil Rights (OCR) that as many as 637,252 clients of UNM were impacted by the breach. These figures make the UNM breach the 19th largest healthcare data breach reported so far during 2021.