Loudoun Medical Group Comprehensive Sleep Care Center (CSCC) in the US has recently learned of an incident that may affect the privacy of certain information.
To date, CSCC claims it has not received any reports that personal information has been misused as a result of this incident; however, CSCC says it is providing notice of this incident so that potentially affected individuals may take steps to better protect their personal information, should they feel it appropriate to do so.
On or around June 19, 2019, the Loudoun Medical Group Information Technology (LMG IT) Department became aware of unusual activity related to a CSCC employee’s email account. The organisation immediately took steps to respond to and investigate this activity and change the user’s password.
Based on this review, LMG IT says it determined that an unauthorized individual possibly gained access to the employee’s email account, before commencing a comprehensive investigation to determine the nature and scope of the incident.
Through the investigation, which included working with third party forensic investigators, LMG IT says it determined that an unauthorized actor(s) gained access to a single Loudoun employee email account between June 15, 2019 and June 19, 2019.
CSCC then commenced a review of all data present in the account to determine what records were present, to whom that data related, and contact information for those individuals. This process was completed on or around October 17, 2019. While, to date, the investigation has found no evidence of actual or attempted misuse of data, it did determine that the email account affected by this incident contained certain personal information.
The information present in the emails varies by individual, but may include patient name, date of birth, Social Security number, driver’s license number, passport number, medical record number, patient account number, payment card information, financial account information, medical history, health insurance information, treatment information and/or date(s) of service.
In an official release, CSCC stated:
“CSCC places the highest priority on the confidentiality, privacy and security of the personal information in our care. Upon learning of unusual activity in an employee email account, CSCC immediately commenced an investigation to confirm the nature and scope of the event and identify what personal information may have been present in the affected emails.
“With the assistance of third-party forensic investigators, CSCC has been working to identify and put in place resources to assist potentially affected individuals and is implementing additional safeguards to further protect the security of information in its systems. CSCC also reported this incident to the U.S. Department of Health and Human Services and state regulators, as appropriate.”
The post #Privacy: US medical group releases more details of data incident appeared first on PrivSec Report.