Here’s today’s example of how an entity may claim that they had no reason to believe patient data had been compromised, only to find that it had been.
In February, Whitman Hospital & Medical Clinics (“WHMC”) in California discovered they had been the victim of a cyberattack that occurred between December 26 and February 28. When they disclosed the incident at the beginning of March, they stated that they had no reason to believe that patient information had been compromised.
What a difference a month makes. When a third-party forensics firm investigated, they found that the unauthorized party “may have accessed and/or acquired files that contain information pertaining to patients and members of WHMC’s Group Health Plan, including their names and one or more of the following: dates of birth, addresses, Social Security numbers, financial account information, diagnosis, lab results,
medications, other treatment information, health insurance information, provider names, and/or dates of treatment.”
On April 11, 2025, Whitman began mailing letters to individuals whose information may have been involved in the incident to inform them of the incident and offer them complimentary credit monitoring and identity protection services.
As of publication, no ransomware group or extortion group has claimed responsibility for the attack, and DataBreaches has not spotted any leak of data from the incident on the dark web at this time.