On August 7, Central Utah Clinic, P.C. posted a breach notification on their web site:
PUBLIC NOTICE: Potential Central Utah Clinic HIPAA Breach
PROVO, Utah. (Aug. 7, 2014) — Central Utah Clinic is committed to the protection of patient privacy and is notifying 31,677 patients, by letter, of a potential personal health information breach.
On June 9, 2014, Central Utah Clinic IT professionals discovered unauthorized individuals had compromised one of their servers. Each month, Central Utah Clinic successfully defends against numerous cybercriminal attacks. However, during this particular targeted attack, Central Utah Clinic security measures were circumvented.
Following discovery of the compromise, the server was isolated to prevent further risk of unauthorized information disclosure. A thorough forensic investigation found no evidence that personal information was viewed or copied from the server to an unauthorized location. Additionally, there is no indication that any of the other 100+ Central Utah Clinic servers were compromised.
The accessed server was not a complete database of patient information, but rather a limited subset of written imaging and radiology reports dated 2010 and earlier. The accessed server did store data on some individuals containing patient information with one or more of the following fields: name, date of birth, Social Security number, address and phone number.
“Protecting our patients’ information from exposure of any kind beyond what is needed for treatment, and particularly from cybercriminal activity, is a key focus at Central Utah Clinic, and we take full responsibility for this incident,” said Scott Barlow, CEO of Central Utah Clinic. “These attacks are an unfortunate aspect of information technology and modern healthcare is not immune from this. It is important to understand there is no indication that any of our patients’ personal information was viewed or copied. Regardless, we are committed to transparency and working with our patients to mitigate possible effects of this occurrence.”
Central Utah Clinic contacted appropriate regulatory authorities and has taken additional steps to safeguard patient information, including partnering with an advanced technology security firm and offering complimentary personal credit monitoring services to patients involved in the potential breach.
Involved parties are being contacted by mail. Individuals who believe their information may have been involved or who need additional information should contact Central Utah Clinic toll-free at 1-844-714-0284.
About Central Utah Clinic: Comprised of more than 170 physicians, Central Utah Clinic is the largest independent, physician-owned, multi-specialty practice in Utah. Based in Provo, UT, Central Utah Clinic provides care in 25+ specialties with many primary care and specialty providers located throughout the state.
Although not mentioned in their press release, Central Utah Clinic reported to HHS that the breach occurred on October 9, 2012 and continued until June 21, 2014.