More than 40,000 affected in the latest cyber attack

Register now

A recent cyber attack at Stamford Podiatry Group in Connecticut put protected health information of 40,491 patients at risk.

The organization contacted patients this week to inform them that their protected health information was compromised. The hack of systems by a smaller healthcare organization is a reminder that such attacks can happen to any healthcare provider or payer organization.

The practice’s technology contractor discovered the attack on the night of April 14 and shut down the information systems, says Rui DeMelo, DPM, vice president and owner. That is unlike how many organizations typically find out that they have been attacked, as law enforcement agencies investigating a cyber incident typically find other organizations that were hacked and notify them.

The following day, the practice engaged Equifax for investigation and remediation activities that included eradicating malware and backing up data to an off-site location, says DeMelo. Remediation was completed on April 29. The investigation found that the intruder had access to systems from February 22 to April 14.

Compromised protected health information could have included medical history and treatment information in the electronic health records system, names, birth dates, Social Security numbers, gender, marital status, addresses, telephone numbers, email addresses, insurance coverage information and names of treating and referring physicians.

In a notification letter to patients, the practice said, “Although we have not been able to confirm that your personal information was accessed and copied, we have not been able to rule out that possibility and encourage you to take the protective measures described below.” The measures included reviewing account statements, monitoring credit reports and accepting one year of free credit monitoring and identify theft protection services from Equifax.

Stamford Podiatry has retained cybersecurity experts and is implementing additional unspecified security measures to prevent further intrusions.

For reprint and licensing requests for this article, click here.