[BreachExchange] Malware on imaging server compromises data at New Mexico hospital

Destry Winant destry at riskbasedsecurity.com
Thu Dec 26 10:03:53 EST 2019


Last month, Roosevelt General Hospital in Portales, N.M., found
malware on a digital imaging server containing radiological images and
patient data.

The organization estimates that the data of about 500 patients may
have been put at risk from the malware attack.

The information technology department secured and restored the server,
and patient information was recovered, according to the organization.
An evaluation of server vulnerabilities was performed, and the
hospital believes all other risks to data have been mitigated.

Nine types of protected health information were potentially comprised,
including Social Security numbers, patient names, addresses, dates of
birth, driver’s license numbers and patient gender.

Although experts and the organization could not confirm that data had
actually been compromised, and that the data would have been
accessible to hackers, Roosevelt General now is alerting potentially
affected patients and offering assistance in monitoring their
information. The hospital has not publicly identified the protective
services firm aiding patients or the duration of credit monitoring
services and possibly identity protection.

“With security events such as this one, time was taken to thoroughly
investigate what occurred and identify the individuals who have been
affected,” the organization explained in a statement. “Since then, the
server has been secured and patient information has been restored.”

The breach has been reported to the Department of Health and Human
Services, and the number of affected individuals will be posted on the
Office for Civil Rights’ data breach web site.

“Although we are continuing our investigation, there is no evidence at
this time that any patient data has been wrongfully used,” says Kaye
Green, CEO at Roosevelt General Hospital. “The malware identified on
the radiology server was contained and terminated immediately upon
detection. This breach did not affect our electronic health record
system or billing system.”

More information about the BreachExchange mailing list