New Mexico Hospital Discovers Malware on Imaging Server

Roosevelt General Hospital in Portales, New Mexico has discovered malware on a digital imaging server used by its radiology department. The malware potentially allowed cybercriminals to gain access to the radiological images of around 500 patients.

The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server to prevent further unauthorized access and block communications with the attackers’ command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected.

The investigation into the breach did not uncover any evidence to suggest protected health information and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out.

The investigation into the security breach is continuing but the hospital’s IT department has confirmed that the breach was limited to the imaging server. Its medical record system and billing systems were unaffected. The types of information accessible through the compromised server included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.

All patients whose information was accessible through the server have been notified about the security breach by mail and have been advised to monitor their credit reports for any sign of fraudulent activity. No reports of misuse of patient information have been received by the hospital to date.

The Department of Health and Human Services’ Office for Civil Rights’ breach portal indicates 28,847 patients have been impacted by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.