The radiology department of Roosevelt General Hospital located in Portales, New Mexico identified malware on a digital imaging server, which potentially resulted in allowing the cybercriminals to access the radiological images of about 500 patients.
The malware infection was identified on November 14, 2019 and quick action was taken to isolate the server and avoid further unauthorized access and deter communications with the command and control server of the attackers. The IT team was successful in removing the malware, rebuilding the server and recovering all patient data. A scan was performed to check for any vulnerabilities. The hospital is now pleased with the security and protection of the server.
The investigators of the breach didn’t find any information that suggests the viewing or theft of protected health information (PHI) and medical images by the hackers, nevertheless, the possibility of unauthorized data access and PHI theft cannot be ruled out.
The security breach investigation is still in progress, but the hospital’s IT team has verified that only the imaging server was affected by the breach. The breach did not affect its medical record system or billing systems. The types of information likely compromised included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.
All patients whose information was accessible through the server received notification letters regarding the security breach by mail and were instructed to keep track of their credit reports for signs of fraudulent activity. To date, the hospital has not received any report of patient information misuse.
The Department of Health and Human Services’ Office for Civil Rights has not published the incident yet on its breach portal, thus there is no report yet about the exact number of patients affected by the breach. As per RGH Marketing and Public Relations Director, Jeanette Orrantia, the hospital submitted the breach report to OCR within 60 days after discovering the incident.