Fraud Management & Cybercrime , Healthcare , Industry Specific
California Medical Group's Ransomware Breach Affects 3.3M
Regal Medical Group Says Patients of Several Affiliates Are Among Those AffectedMore than 3.3 million southern Californians had their personal health information stolen during a ransomware attack, reports Regal Medical Group, one of the largest Southland medical groups.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Regal reported the hacking incident on Feb. 1 to the Department of Health and Human Services as affecting several of its affiliated medical groups, including Lakeside Medical Organization and Affiliated Doctors of Orange County and Greater Covina Medical Group.
The medical group of more than 3,000 primary care doctors says it became aware of the breach on Dec. 8, and the data compromise occurred about a week earlier.
Regal employees had noticed difficulty in accessing some of the organization's servers, the notice says. After an extensive review, malware was detected on some of Regal's servers, which a threat actor used to access and exfiltrate data, the notice says.
Patient data potentially compromised in the incident includes names, Social Security numbers, addresses, birthdates, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and phone numbers.
The organization is offering affected individuals one year of complimentary credit monitoring, and it says it has notified law enforcement about the incident.
Regal did not immediately respond to Information Security Media Group's request for additional information about the incident.
Growth Pains
Regal is among legions of healthcare sector organizations that have grown in recent years through mergers and acquisitions, as well as through affiliations with other medical entities, which potentially contributed to its data security incident affecting so many patients, some experts say (see: Mergers and Acquisitions in Healthcare: Security Risks).
"The entire organization is going to be at risk once a connected network is in place. This is why understanding the security stance of a potential acquisition before implementation to the network is so important," says Susan Lucci, senior privacy and security consultant at consultancy tw-Security.
The Regal incident is by far the largest posted so far in 2023 on HHS OCR's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.