San Andreas Regional Center Victim of Ransomware Attack

San Andreas Regional Center in San Jose, CA has started notifying patients that their PHI may have been compromised in a July 2021 ransomware attack.

On July 5, its networks and servers were taken out of action as a result of the attack. Steps were rapidly taken to remediate the attack and third-party computer forensics experts were engaged to investigate the breach, determine how access to its systems was gained, and to discover the extent to which patient data had been affected.

The initial investigation into the ransomware attack was concluded on August 2, 2021, when it was confirmed that the attackers had gained access to parts of the network where patients’ protected health information was stored and certain files stored on its servers that contained patient data had been exfiltrated by the attackers prior to the use of ransomware. It was not possible to determine any specific patient information that was stolen by the attackers.

At the time of issuing notification letters to affected patients, San Andreas Regional Center had not identified any instances of attempted or actual misuse of patient data. A review of all files accessible to the attackers confirmed the following types of patient data were potentially compromised in the attack: First and last names, addresses, dates of birth, telephone numbers, Social Security numbers, email addresses, health plan beneficiary numbers, health insurance information, full-face photos, and or comparable images, UCI (unique identifying number or code generated by SARC for patients), medical information, diagnoses, disability codes, and other certificate/license numbers.

Policies and procedures are being updated, employees have received further cybersecurity training, and additional cybersecurity safeguards are being implemented to strengthen security. Complimentary credit monitoring and identity theft protection services are being offered to affected individuals.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 57,244 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.