Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (CSCC) in Virginia issued a press release yesterday.
According to their timeline, on or around June 19, they became aware of unusual activity in an employee’s email account. Their investigation subsequently determined that unauthorized access to the one account occurred between June 15 and June 19.
The more time-consuming part seemed to be figuring out what information was in that account and who would need to be notified. That process was completed on or around October 17.
The information present in the emails varies by individual, but may include patient name, date of birth, Social Security number, driver’s license number, passport number, medical record number, patient account number, payment card information, financial account information, medical history, health insurance information, treatment information and/or date(s) of service.
They do not appear to be offering patients any complimentary services, and this incident has not yet appeared on HHS’s public breach tool.
You can read the full press release here.
Update: A commenter (see below) reports that information on complimentary monitoring services was mailed out on Nov. 26.