N.M. Hospital Breach Jeopardizes Data of More Than 500 Patients
The cyber attack was identified on September 2020, and patients were notified earlier this month.
In Fall 2020, the San Juan Regional Medical Center, in Farmington, New Mexico, noticed that its computer network had been breached and that the personal information of more than 500 patients had been stolen. It took the hospital almost a year to inform those patients of the incident.
The letter, which was emailed to patients on June 4, stated that patient account numbers, medical record numbers, and medical diagnosis/medical treatment information had been stolen, but with no evidence that the information had been misused, reports the Farmington Daily Times. San Juan Regional’s letter further provided guidance to patients on what they can do to protect themselves, such as placing a fraud alert and security freeze on their credit reports. The hospital also posted a notification of the breach in the news section of its website.
So far, it appears as if those who had information stolen have not been affected.
“They had a whole year to use everybody’s information and I’m surprised nothing happened yet,” said one patient.
Still, when social security numbers, driver’s license numbers, financial account numbers, and health insurance information are in the wrong hands, patients fear that eventually some problems will occur.
The information was obtained from San Juan Regional’s billing records. The hospital’s electronic medical record system was not impacted by the breach.
A third-party cybersecurity team that investigated the incident said the information was taken by an unauthorized individual. The hospital conducted its own manual review, as well, and has since taken steps to implement tighter safeguards to its network.
When asked why the manual review of affected documents took several months, San Juan Regional replied that some of the documents were dense and unformatted.
“San Juan Regional Medical Center’s document review was thorough and worked to extract all potentially sensitive data, even if the formatting of the documents, or lack of formatting, would have made it difficult if not impossible for anyone to collect any usable data from the document.”