One of the reasons DataBreaches.net has never confined its reporting and analyses to HIPAA-covered entities is that there are so many other types of entities that collect and store health or medical information.
Today’s example comes from the National Capital Poison Center, who found themselves in the unenviable position of reporting a ransomware attack that involved records of people who called them between January 1, 1997 and October 21, 2017. Why they kept so much data connected is…. unknown to me.
From their notification:
What Information Was Involved? NCPC cannot determine whether any information stored in the database was subject to unauthorized access, and has received no reports of attempted or actual misuse of this information. The database server contains one or more of the following types of information captured during call center calls, if the information was provided: caller name, name of person possibly exposed to a poisonous substance and date of birth, address and telephone number, information about the exposure and clinical course, recommendations provided to the caller, caller’s email address, and if applicable, treating facility name and medical record number. Most calls have only a subset of this information.
NCPC does not indicate whether they paid any ransom or whether they attempted to restore from backup, and if so, with what results. And not surprisingly, they do not indicate how many people had their personal information involved in this incident.