A data breach has hit a Utah medical services provider, exposing the records of nearly 600,000 patients.
The incident involved Utah Imaging Associates Inc., a radiology medical practice based in Farmington, Utah. In a notice published Nov. 18, the company said it had detected what they describe as a “network security incident” on Sept. 4. After taking action to secure their network, Utah Imaging Associates engaged a third-party cybersecurity firm to conduct an investigation to determine the nature and scope of the incident.
The investigation was not good news for the company’s patients. Data stolen involved personally identifiable information of 582,170 people. The data consisted of first and last name, mailing address, date of birth, Social Security number, health insurance policy number and medical information. The company did not provide any details on how the data theft took place.
Utah Imaging Associates claims that there is no evidence of the misuse of the stolen data. As a precaution, the company is offering those impacted free credit monitoring and identity theft restoration services through IDX.
The standout part of the breach notification was the more than two-month delay between the theft of data taking place and Utah Imaging Associates informing patients.
“In this time frame, patient records were likely used for nefarious activities without the patient even knowing records were stolen,” Christian Espinosa, managing director of information technology service management company Cerberus Cyber Sentinel Corp., told SiliconANGLE. “When data breaches like this happen, it is crucial to notify as soon as the breach is confirmed. Timely notification allows patients to take proactive measures before their stolen records are abused, such as freezing credit and setting up account monitoring alerts.”
Erich Kron, security awareness advocate at security awareness training firm KnowBe4 Inc., noted that medical data is always valuable to cybercriminals, as it contains a lot of sensitive information, often including Social Security numbers, addresses and medical conditions. Kron explained that the theft of data is not only valuable for identity theft but can also be used to run scams targeting victims, such as posing as staff from a hospital.
“By knowing what procedures a person has had and when, along with other information, they could convince victims that a payment is due or some other con that would be very believable,” he said. “Protection of medical data should be a high priority, and those who store and use this data should regularly review processes and procedures, along with technical controls, that relate to the data protection.”