[BreachExchange] Navicent Health Data Breach Exposes Patient's Personal Info

[Destry Winant]

https://www.bleepingcomputer.com/news/security/navicent-health-data-breach-exposes-patients-personal-info/

Navicent Health announced in March that they suffered a data breach
through unauthorized access to their email systems. This breach has
exposed the personal information of 270,000 patients, with some social
security numbers being disclosed.

Navicent first learned of this data breach in July 2018, when they say
they reported the breach to law enforcement and engaged with a
computer forensics firm to launch an investigation.

"Navicent Health was the victim of a cyber-attack that occurred this
past summer that may have involved some of its patients' personal
information," stated Navicent Health's notice. "Upon learning of the
incident in July, we promptly instigated a security incident
investigation. We also notified law enforcement and retained leading
forensic security firms to help us investigate and conduct a
comprehensive search for any personal information in the impacted
email accounts, and to confirm the security of our email and computer
systems. "

On January 24, 2019, their investigation determined that only the
email system was compromised and that their other systems, including
the medical records system, was not breached.

The compromised email server, though, did contain the personal
information of patients. This data included names, dates of birth,
addresses and billing and appointment information. Navicent further
states that some of the compromised emails contained Social Security
Numbers of individuals.

According to breach information filed with the U.S. Department of
Health and Human Services Office for Civil Rights (OCR), 278,016
individual's information was compromised by this breach.

While there is no indication that any of this information has been
fraudulently used, Navicent will be offering a free one year credit
monitoring service to those whose Social Security Numbers were
exposed.  They have also stated that affected users should monitor the
credit reports for fraudulent activity and report any that is
detected.

Navicent has begun to send notifications to those who were affected,
but it has not been disclosed as to why it has taken close to three
month to disclose the breach after determining what information was
exposed.

BleepingComputer has contacted Navicent Health with questions
regarding this breach, but have not heard back at the time of this
writing.