DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Center for Orthopaedic Specialists notifies 85,000 patients of ransomware attack

Posted on April 25, 2018October 5, 2024 by Dissent

The Center for Orthopaedic Specialists (COS) in California has three locations in West Hills, Simi Valley and Westlake Village. COS has been notifying 85,000 current and former patients of a ransomware attack on their unnamed IT vendor in February. From their April 18 notice on their web site:

The Center for Orthopaedic Specialists (COS) recently learned that our computer system was compromised by a security event that affected our three facilities in West Hills, Simi Valley and Westlake Village, Calif. Malicious software was used to gain access to and encrypt patient data in our system in the hopes of getting COS to pay money to restore access to the patient data. To the best of our knowledge, no patient information was removed by any unauthorized party as a result of this event. However, out of an abundance of caution, we are notifying all patients whose information was stored on the compromised system. A notification letter was sent to all current and former patients of COS (or to their legal guardians or representatives as appropriate).

What Happened

A third-party technology vendor provides COS with information technology (IT) services. We recently received notice from the IT vendor that an unauthorized party had illegally accessed COS’s computer network. Working with the IT vendor, we immediately launched an investigation into the matter. The investigation determined that the unauthorized party began attempting to access our system beginning Feb. 18, 2018. The IT vendor indicated that the affected system was permanently taken offline before any patient information could be removed by the unauthorized party.

What Information May Have Been Involved

The patient data that was encrypted by the unauthorized party could have included a patient’s name, date of birth, details about their medical records, and Social Security number. To the best of our knowledge, no patient information was downloaded or removed by the unauthorized party.

What We Are Doing To Support Our Patients

We have notified federal law enforcement officials, who may choose to conduct a criminal investigation into the matter. We continue to work with our third-party technology vendor to address the issue, and as noted above, the affected system was taken offline permanently.

As an added precaution, we have arranged to have ID Experts provide identity protection services for 24 months at no cost to our patients. This service is optional but we strongly encourage our current and former patients to take advantage of the benefits it provides. Eligible patients may enroll at idexpertscorp.com/protect or by calling (888) 312-0811 and providing the membership enrollment code provided in the letter mailed to their home. If you have not received a notification by mail but feel you should have, please contact ID Experts for assistance. Representatives can be reached at (888) 312-0811, Monday through Friday, 6 a.m. to 5 p.m., Pacific Time.

For any patient concerned about identity theft, COS recommends regularly reviewing statements from your accounts and health care providers, and periodically obtaining your credit report from one or more of the national credit reporting companies. You may obtain a copy of your credit report once every 12 months free of charge by either visiting annualcreditreport.com, calling toll free to (877) 322-8228, or by completing a request form found at ftc.gov/bcp/menus/consumer/credit/rights.shtm and mailing it to: Annual Credit

Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. For questions about identity theft, credit monitoring and how to keep information secure, visit
consumer.ftc.gov/topics/identity-theft.

See also the page about this incident by IDExperts.  Providence Health & Services also submitted the following notification to California:

Providence COS Patient Notification Letter_0

COS did not reveal the type of ransomware involved or the amount of the ransom demand or anything about the identity of the attacker(s). Nor did they immediately respond to an emailed inquiry from DataBreaches.net asking about the ransomware and ransom demand.  The incident is not listed on HHS’s public breach tool as of the time of this posting.

Category: HackHealth DataMalwareU.S.

Post navigation

← 1 Million US Children Affected by Identity Theft Last Year, Infuriating Study Finds
Update: Prague, Oklahoma youth pastor in computer crimes probe previously worked at GCTC →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.