Share this article on:
Patients of Central Ohio Urology Group whose protected health information was stolen and posted online in August have now been notified of the security breach.
While it is not clear exactly when the hack occurred, the data stolen in the cyberattack were dumped online on August 2, 2016. A wide range of patient data were uploaded to Google Drive by the hackers and were freely accessible. The hackers behind the attack – Pravvy Sector (Pravyi Sektor) – sent out links to the data on Twitter.
The data appeared to have been stolen from an internal server used by Central Ohio Urology Group. Access to the server is understood to have been gained using SQL injection – a technique commonly used by hackers to gain access to web application database servers. At the time it was unclear exactly how many patients had been impacted by the breach, although the stolen data included 401,828 files including images, videos, text files, documents and spreadsheets.
Central Ohio Urology Group has now confirmed that it became aware of the breach on August 2 when the data were posted online. Action was immediately taken to remove the data. According to the breach notice “We contacted law enforcement and had the information removed from the online drive within hours.”
An investigation was conducted to determine how access to the data was gained, and all of the stolen files were reviewed to determine how many individuals had been impacted. The breach notification sent to the Department of Health and Human Services’ Office for Civil Rights indicates 300,000 patients were impacted.
The data stolen in the attack included the names of patients, telephone numbers, addresses, email addresses, dates of birth, driver’s license numbers, State ID numbers, Social Security numbers, health plan and health insurance information (including identifiers), patient ID numbers, account information, employment-related information, medical histories, diagnoses, and treatment information.
Central Ohio Urology Group has offered all affected patients a year of complimentary identity theft protection services, and steps have been taken to bolster security to prevent future data breaches. Those measures include a new firewall, network monitoring software, and controls to restrict access to patient data.