There are so many breach reports that it’s hard to even find all the notices and reports about them these days. These days, there are many breaches that I log in worksheets I compile for Protenus’s Breach Barometer annual report but never even post on this blog.
Just today, for example, I found:
- a notice from Fairbanks Cancer Physicians disclosing that their patients had been impacted by the Elekta cyberattack;
- a notice from Dermatology Group of Arkansa disclosing that their patients had been impacted by a phishing attack;
- a notice from CentraCare Health and Carris Health – Willmar Lakeland Clinic (formerly known as Family Practice Medical Center) disclosing that their patients had been impacted by the Netgain Technology ransomware attack; and
- a somewhat unusual notice from Good Shepherd Centres in Canada that merited its own post.
None of the U.S. ones above have shown up in HHS’s public breach tool yet as far as I can determine.
And I am still mulling over a press release this week by Coastal Family Health Center. DataBreaches.net had broken the story of their May ransomware incident on June 11. Their press release of this week talks about some patient files being accessed. It does not come out and say that 506 GB of files with clinic, patient, and employee personal and protected health information was dumped on the dark web and the center has no idea how many people have already downloaded it all for possible misuse. As of today, there is no report yet on HHS as to how many patients they have notified, but in addition to patients, there were many employees whose personal identity information and wage information for W-2 etc was dumped.
I understand that entities may want to downplay how serious a breach was, but there really ought to be a requirement that they disclose when they know that data has been publicly dumped so that people can factor that in when determining what they may need to do to protect themselves now and in the future.