California-based Salinas Valley Memorial Healthcare System (SVMHS) has notified patients and employees of a cyber-attack potentially compromising their personal data.
In April 2020, SVMHS detected that an employee’s email account had been compromised. Over the next two months, four other email accounts were exposed, three belonging to employees and one belonging to a contractor. Its investigation revealed that the unauthorized person(s) only had access to the inboxes for a few hours.
In response, SVMHS disabled access and reset passwords to the compromised email accounts. SVMHS indicated it was taking other preventative measures but did not provide specific details in its notice to patients and employees.
The hospital sent letters to notify its employees and patients that exposed information may have included: names, hospital account numbers, medical record numbers, service location, and attending physician’s information. In its notice, SVMHS explicitly stated that the personal data did not include social security numbers, driver’s license numbers, or bank account numbers.
SVMHS does not have any evidence at this time that the “unauthorized person(s) viewed, retrieved or copied any medical or personal information.” However, it is still providing potentially affected individuals the option to enroll in a year of identity theft protection services for free.
Founded in 1953, SVMHS serves individuals throughout Monterey County. It has over 300 physicians and more than 1,800 employees. Its broad service offerings include orthopedic surgeries such as total joint replacements, anterior cruciate ligament (ACL) reconstruction, and spinal surgery.
Data continues to be vulnerable as reports of data breaches become more commonplace. Healthcare data breaches of 500 or more records are reported to the Department of Health and Human Services. The Office for Civil Rights is currently investigating 45 California data breaches from the past 24 months.
For OTW’s recent coverage of data breach issues, see “Ozark Orthopaedics Data Breach Exposes Over 15,000 Patients” and “Victims Can Sue Ortho Clinics if Data Hacked.”
