The radiology department of Roosevelt General Hospital located in Portales, New Mexico found malware in one digital imaging server, which possibly resulted in enabling the hackers to gain access to the radiological photos of approximately 500 patients.
The malware installation was found on November 14, 2019 and immediate action was done to separate the server and stop even more unauthorized access and obstruct contact with the command and control server of the hackers. The IT unit was successful in taking away the malware, repairing the server and retrieving all patient information. A scan was done to search for any flaws. The hospital is currently happy with the security and protection of the server.
The inspectors of the breach failed to get any proof that indicates the viewing or stealing of protected health information (PHI) and radiological photos by the attackers, although the likelihood of unauthorized information access and theft can’t be eliminated.
The security breach investigation is still ongoing, however, the hospital’s IT unit has affirmed that only the imaging server was impacted by the breach. The breach didn’t impact its billing systems or medical record system. The types of data possibly compromised comprised names, addresses, telephone numbers, birth dates, Driver’s license numbers, Social Security numbers, medical insurance data, healthcare data and the sex of patients.
All persons whose data was compromised through the server got notification letters concerning the security breach via mail and were cautioned to keep an eye on their credit reports for indications of falsified transactions. Thus far, the hospital hasn’t received any report on patient data misuse.
The Department of Health and Human Services’ Office for Civil Rights hasn’t posted the breach yet on its breach website, therefore there is no report yet regarding the actual number of patients impacted by the breach. As stated by RGH Marketing and Public Relations Director, Jeanette Orrantia, the hospital filed the breach report to OCR within 60 days after learning about the episode.