Cardiovascular Associates Admits to Data Breach Affecting Patients Seen in Alabama
Table of Contents
- By Steven
- Feb 10, 2023
Every time we see a medical data breach, we think, “There can’t possibly be any more. That’s every hospital in the U.S.!” It’s not. This breach could have easily affected thousands, depending on the practice size. Not only that, but Cardiovascular Associates sent multiple letters to different victims – some of them were for the “parent or guardian of” a specified individual. This means that people with disabilities that live with a parent or guardian, along with an unknown number of minors, were likely affected by the breach.
How Did the Attack Occur?
An unauthorized individual accessed some of Cardiovascular Associates’ (CVA) internal systems. The systems were variable and contained different information in each. However, upon involving a forensic team, CVA realized that some of the accessed systems contained confidential patient information.
What Information Was Viewed or Stolen?
A large amount of information was accessed, which doesn’t look promising for the victims. The hacker may have accessed the following:
- Financial account information
- Credit and/or debit card information
- Passport and driver’s license numbers
- Billing and diagnostic codes
- Claims information like status
- Medical record numbers
- Provider and facility names
- Dates of service
- Insurance provider names and details
- Medical and treatment information
- Full names
- Social security numbers
- Insurance member numbers
How Did Cardiovascular Associates Admit to the Breach?
CVA announced the breach on its informational website. The practice also wrote to the California Attorney General’s Office, including three interchanged letters between victims. The notes read, “On December 5, 2022, it was discovered that certain systems within our network may have been subject to unauthorized activity… In the course of the investigation, it was determined that an unauthorized third party was able to access certain systems that contained personal information and remove a copy of some data from the network between November 28, 2022 and December 5, 2022.”
What Will Become of the Stolen Information?
The stolen information will likely be sold or used by the hacker. They have ample opportunity for identity theft, as well as insurance and medical fraud. There is also a lot of room for more violent crime, as names and addresses were accessed. Depending on how many people were affected, the hacker could make millions of dollars from selling the information on the dark web.
What Should Affected Parties Do in the Aftermath of the Breach?
After any breach, especially one that involves this much PII (personally identifying information), you should file a police report and sign up for identity and credit monitoring. Dark web monitoring certainly wouldn’t hurt, and some services offer all three. As for the police report, that leaves a paper trail and shows that you took every possible step to protect yourself. If you’re lucky, it can be something you do and forget, but if not, it’s important to have. Do your best to stay safe. As important as your personal information is, these things – all things, really – have no value without you.