From a Seacoast Radiology press release:
Seacoast Radiology, PA discovered on November 12, 2010 that an office server containing personal patient data and billing information was accessed by an unauthorized third party. Access to this server was disabled immediately and an independent investigation concluded that unauthorized use of patient and billing data is unlikely. All patients and patient billing guarantors have been notified.
The independent investigation indicated that personal information, including name, address, Social Security number, date of birth, medical procedure codes, diagnosis codes and billing information was stored on this server. Patient radiology reports, including radiographic images, and banking information was not stored on this server and therefore not breached.
Seacoast Radiology has engaged with several computer security experts and has implemented security procedural changes to keep patient data secure from unauthorized access.
In addition to procedural changes, Seacoast Radiology has contracted with ID Experts® to provide an informational toll-free number and website to answer questions about this incident. Patients with questions regarding this incident can visit www.SeacoastPrivacy.com.
This press release is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Seacoast Radiology, PA has notified patients, billing guarantors and the Department of Health and Human Services (HHS).
From the FAQ on the support web site:
On November 12, 2010, Seacoast Radiology discovered that there had been unauthorized access to an office server. No credit card information was contained on this server, as Seacoast Radiology does not at this time accept credit cards for payment. The server contained patient names, Social Security numbers, address, phone number and other basic information, as well as basic medical diagnosis codes and basic procedure codes for billing purposes. The server also contained information on individuals serving as ‘insurance guarantors’ for the patients, and some of these individuals did not have social security numbers in the computer. In some cases the guarantor information included name and address in addition to Social Security number. Some of the guarantors only had name and address associated with their information, without Social Security number.
Brendon Nafziger of DOTMedNews.com provides additional details:
A large radiology practice in New Hampshire said Wednesday hackers apparently breached a server containing Social Security numbers and medical codes for hundreds of thousands of patients, with the culprits likely rogue gamers looking for bandwidth to play the popular military shoot-’em-up Call of Duty: Black Ops.
The group estimates 231,400 patients might have been affected by the breach.
Read more on DOTMedNews.com.