Centrelake Medical Group, which has 8 medical imaging and oncology centers located in California, is sending notifications to some patients about the exposure of some of their protected health information (PHI) because of a computer virus infection.
The medical group discovered the computer virus in February 2019 when it was not able to access its files. The virus seems to be a kind of ransomware, though the media notice released by Centrelake did not say anything about ransomware or a ransom demand.
A computer forensics firm helped with the investigation to find out the extent of the attack and if the attacker accessed or copied any files that contain PHI. According to the investigation findings, an unauthorized person accessed the servers on January 9, 2019. Before the virus was deployed on February 19, 2019, the unauthorized person had accessed the servers without being noticed.
It is not uncommon for hackers to install ransomware on systems after breaching security defenses. In a number of cases, the attacker first investigates the system and exfiltrates all valuable information before deploying the ransomware. In this instance, the computer forensics firm did not find any proof that the attacker accessed or copied patient information when the system was accessed. There was also no report received regarding any attempt or actual misuse of information.
The unauthorized third party accessed the servers that contained software programs and files that may possibly contained patient information including names, telephone numbers, addresses, health insurance details, diagnoses, services received, dates of service, referring provider details, medical record numbers, Social Security numbers and driver’s license numbers.
Centrelake Medical Group advised the patients to watch out for the possible data misuse and reminded the patients to keep track of their explanation of benefits statements, financial accounts and credit reports for any indication of falsified activity. The patients provided a toll-free number that patients can access to get more information, however it seems that patients are not offered credit monitoring and identity theft protection services.
The Department of Health and Human Services’ Office for Civil Rights has not yet published the incident on its breach portal, thus the exact number of patients the breach affected is still not clear.