University Medical Center of Southern Nevada Confirms PHI Compromised in June Cyberattack
University Medical Center of Southern Nevada (UMC) has issued an update on a cyberattack it experienced in June 2021 and has now confirmed that some patient information was compromised in the attack.
The cyberattack occurred on June 14, 2021 and was conducted by a “by a well-known group of cybercriminals that seek to use the information for commercial gain,” according to a July 29, 201 UMC press release. UMC explained that suspicious activity was detected within its IT environment and prompt action was taken to remove the attackers from its network. UMC said the breach was contained the on June 15, with the initial investigation suggesting the attackers had gained access to certain file servers; however, the prompt action taken by its IT Division meant there was no disruption to patient care or its clinical systems.
Initially, UMC said it had no reason to believe any clinical systems were accessed by the attackers, although the investigation into the cyberattack was ongoing to establish the nature and scope of the cyberattack. The forensic investigation has now confirmed that certain files containing patients’ protected health information were compromised in the attack.
Those files contained information such as names, addresses, dates of birth, Social Security numbers, health insurance information, financial information, and some clinical information, including medical histories, diagnoses, and test results. UMC said no evidence has been found to indicate any specific misuse of patient information.
Notification letters are now being sent to all individual potentially affected by the attack and complimentary identity theft protection services are being provided.
UMC said it notified the FBI and Las Vegas Metropolitan Police Department about the attack and has been working closely with third-party cybersecurity consultants and will be implementing additional internal and external technology solutions to better protect patient data and prevent further cyberattacks.
The breach has been reported to the HHS’ Office for Civil Rights as affecting 1.3 million individuals.