The News Tribune reports that the Capital Region Medical Center in Missouri has started notifying patients whose protected health information (PHI) was accessed during a ransomware incident in December, 2021 that left their phone systems and network down for several days.
CRMC had disclosed the incident promptly but had not been able to immediately determine whether PHI was involved.
The types of PHI that may have been accessible include:
first and last name, date of birth, full mailing address, medical information, and health insurance information. For some patients, Social Security numbers, driver’s license numbers and financial account information may have been accessed.
Read more at News Tribune.
CRMC’s notice can be found linked from their website homepage. The notice does not indicate whether CRMC knows with any confidence whether any files were exfiltrated and/or leaked on the internet. DataBreaches.net has not spotted any data that might be from this entity on any of the leak sites routinely checked by this site, but of course, the absence of evidence is not evidence of absence. This post will be updated if the situation changes.
NOTE: This incident was included in the Protenus Breach Barometer compilation for December, 2021, using HHS’s guidance to assume a breach unless there was clear evidence otherwise. The incident was included without any number for number of patients possibly affected, as the incident had not been reported to HHS then. We should now see numbers reported to HHS for this incident.
Update: This incident was reported to HHS on March 11, 2022 as impacting 17,578 people.