Monterey Health Center in Oregon, Central Valley Regional Center in California both announce patient data breaches
On August 12, 2019, Monterey Health Center in Oregon became aware that they had suffered a ransomware attack. According to a press release issued yesterday, they were able to restore patient data, and were able to rule out any data exfiltration, but were not able to rule out access to the patient data.
The types of information stored on the impacted server includes: name, address, driver’s license, financial account information, Social Security number, date of birth, medical history, diagnosis/conditions, lab/test results, treatment information, medications, health insurance information, and/or claims information.
Meanwhile, in California….
In other announcements yesterday, Central Valley Regional Center in California announced that it is notifying patients of a breach that occurred when an employee’s email account was accessed by an unauthorized third party. The center became aware of the breach on July 29, 2019. Their investigation determined that between July 25–August 2, 2019, access was possible to what sounds like more than one employee’s email account(s).
On August 12, 2019, CVRC determined that data containing individuals’ personal information within one or more email accounts may have also been affected.
This information may have included individuals’ names, addresses and contact information, dates of birth, dates of death, Social Security numbers, driver’s license information, state identification card or other government identification numbers, Medi-Cal numbers, UCI numbers, and/or medical or health information or health insurance information. For a limited number of individuals, Taxpayer Identification numbers, financial account or payment card information, PINs or other access codes, account passwords, usernames, email addresses or electronic identifiers and the means to access the related accounts, and/or IRS PINs may have also been affected.
CVRC is offering those affected credit monitoring and credit protection services.
Neither press release indicates the number of patients being notified, but expect to see both of these incidents on HHS’s public breach tool at some point.