Schneck Medical Center announced Friday that it was notifying “a limited number” of patients of a data security incident that resulted in the access and exfiltration of some files containing protected health information (PHI). They do not indicate how many patients are being notified and the incident does not yet appear on HHS’s public breach tool.
What we can determine from their notice on their website, however, is that the incident occurred on September 29, 2021. Schneck does not reveal when they first discovered an incident had occurred. Nor do they offer any reason for it to take more than seven months from the incident to start notifying patients. They do state that the types of information included:
full names, addresses, dates of birth, medical record and/or other internal identification numbers, driver’s license/state identification numbers, medical diagnosis and conditions information and health insurance/claims information. “Additionally, with respect to a limited number of patients,” they write, “the information included Social Security numbers, financial account information, and/or payment card information.”
Schneck’s notice does not indicate whether this was a ransomware incident, and if so, whether they paid any ransom. Because their notice states that Schneck “has no evidence that any of the information was or will be misused,” DataBreaches sent an inquiry as to why they made that statement about future misuse — whether they had paid ransom or not. No response was immediately forthcoming. DataBreaches will update this post when a reply is received.
Some affected patients may be eligible for credit monitoring services.
This breach was first reported in the media by The Tribune.