Radiology Associates of Albuquerque (aka RAA Imaging/Advanced Imaging, LLC) has recently notified patients that some of their protected health information was stolen in a cyberattack that was detected more than 12 months previously. RAA said suspicious activity was detected within its environment in August 2021. Prompt action was taken to secure its systems and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the incident.
The forensic investigation confirmed that unauthorized individuals had access to certain systems between July 22, 2021, and August 3, 2021, and copied files from its network that contained patient data. The investigation also uncovered unauthorized access to email accounts, with the email accounts accessed by unauthorized individuals at various points over the preceding 8 months, between December 22, 2020, and July 15, 2021.
RAA explained in a substitute breach notice on its website that the delay in issuing notifications was due to the time taken to investigate the incident. RAA said the review and cataloging of the affected files took until July 2022 to complete, then it took until September 2022 to verify up-to-date contact information. Notification letters have now started to be sent to affected individuals – 22 months after the first email account was breached, and 14 months after files containing PHI were removed from its systems.
The types of data potentially obtained by the attackers varied from individual to individual, and may have included the following data elements: name, contact information, demographic information, diagnosis, treatment information, information regarding mental/physical condition, medical record number, patient number, health insurance information, billing/claim information, Medicaid/Medicare information, biometric data, electronic signature, email/username and password/pin, marriage certificate, mother’s maiden name, vehicle information (VIN, license plate number), financial account and/or credit/debit card information, driver’s license or state/federal identification number, and/or Social Security number.
RAA said steps have been taken to improve security and better protect patient data and affected individuals have been offered complimentary credit monitoring and identity theft protection services. RAA has not publicly disclosed how many people have been affected. This post will be updated when the scale of the breach is known.
The post Radiology Associates of Albuquerque Notifies Patients About Security Breach That Started in December 2020 appeared first on HIPAA Journal.