New details emerge on Siouxland Pain Clinic breach (updated)
On August 1, I noted some media reports about a breach at the Siouxland Pain Clinic. As I mentioned, the reports raised more questions than they answered. Mike Bell of the Sioux City Journal now has a few more details:
Siouxland Pain Clinic sent letters Friday to more than 13,000 patients that their medical and other personal information may have been exposed in a hacking attack, a lawyer for the clinic said Monday.
“We never did prove that any information was taken, but we could not disprove that, either,” said Lonnie Braun, an attorney in Rapid City, S.D.
Braun said patients’ names, medical information, Social Security numbers and addresses may have been compromised when the clinic’s server was hacked between March 26 and April 2.
As to how the clinic learned of the breach, well, it’s still not clear who notified them. Bell reports:
The clinic was notified of the breach June 26. Braun said the firm that discovered it said the investigation showed the hackers were Chinese.
So it was an external party that alerted them to the breach on June 26? If so, the patients are lucky that the breach didn’t go undetected for even longer.
Read more on Sioux City Journal.
As of this morning, there is still no notice linked from the clinic’s home page, and the incident is not yet up on HHS’s public breach tool. Nor can I find any substitute notices, although Google is not great about indexing classifieds/legal notices, so it may have appeared in local media already.
It is somewhat surprising that the clinic is not offering patients free credit monitoring services if Social Security numbers were involved. Although not all entities do that, it seems like a good litigation defense in terms of mitigation and it’s better from a public relations perspective to do something to help patients instead of just leaving them to arrange for monitoring at their own expense.
Update: the incident was reported to HHS on July 31st by Siouxland Anesthesiology, Ltd.