Having your personal or financial information stolen by hackers is bad enough as it is, but we’re now seeing an uptick in healthcare data breaches. In addition to all these details, cybercriminals are also getting their hands on medical records, lab results, and more.
Just the other day, I covered a data breach at a health IT company in which thousands of children had their health information exposed. Now, a Maryland-based clinic has revealed that it suffered a similar breach back in October of this year.
As reported by Cybernews, the Center for Vein Restoration (CVR) with 110 locations across the U.S. fell victim to a data security incident that exposed the protected health information (PHI) of patients as well as the personal information of both current and former employees. While vein restoration is a more specialized medical procedure, approximately 445,000 people’s data has now been exposed online.
Here’s everything you need to know about this latest data breach including what to do next if you’re a patient of the Center for Vein Restoration along with some tips and tricks to help you stay safe from hackers after a major security incident like this one.
Stolen medical data
According to a data breach notice (PDF) on the Center for Vein Restoration’s website, on October 6, unusual activity was detected on its systems. After securing its systems and notifying law enforcement about the breach, the center initiated an internal investigation and then hired a third-party forensic firm for additional assistance.
The investigation revealed that while the unauthorized attackers were in CVR’s IT environment, they may have accessed files that included patient names along with some or all of the information listed below:
- Addresses
- Dates of birth
- Social Security numbers
- Driver’s license numbers
- Medical record numbers
- Diagnosis’
- Lab results
- Medications
- Treatment information
- Health insurance information
- Provider names
- Dates of treatment
- Financial information
As for past and current employees, information related to their employment may have been obtained by the hackers responsible for this data breach.
With all of this information in hand, hackers can launch a range of different attacks and scams against individuals impacted by this breach from targeted phishing attacks using this stolen info as a lure to identity theft. However, since they also obtained medical record numbers, lab results, details on treatments, and health insurance info, the hackers behind this breach could also commit medical identity theft wherein they submit forged claims to a person’s insurance provider or even to Medicare.
What to do next after a data breach
If you or someone you know has received treatment from the Center for Vein Restoration, you’ll very likely be receiving a data breach notification in the mail. Besides letting you know that a security incident occurred, these notices can also provide useful info on the steps you should take next and what the company involved in a data breach is doing to keep its customers (or patients) safe.
While some companies deny that a breach even took place or fail to provide victims with some form of protection afterward, the Center for Vein Restoration is taking this matter very seriously. Oftentimes with other data breaches, we learn details about what actually happened through a filing with a state’s Office of the Attorney General (usually Maine). In this case, CVR has a section right on its home page which is where I found the Notice of Data Security Incident linked above.
CVR is providing affected individuals with access to one of the best identity theft protection services through TransUnion. However, the notice on its site doesn’t explain the duration of these services but typically, companies provide either a one-year or two-year subscription. The duration will most likely be included in the official data breach notification letter you’ll receive in the mail if you’re impacted by this breach.
Just like with other data breaches, you’re going to want to carefully review all of your financial and health statements for irregularities which could point to fraud or identity theft. The same goes for your credit reports too though. It could also be worth placing a fraud alert or a security freeze on your credit so that hackers can’t take out new credit cards or loans in your name.
We could potentially learn more details at a later date but for now, CVR has taken all of the necessary steps on its end by informing patients and providing them with identity theft protection. However, you will need to sign up for this service and remain vigilant when it comes to checking all of your accounts for suspicious activity at least for the time being.