San Juan Regional Medical Center in Farmington, N.M., is again notifying nearly 69,000 patients with more information about a previous malware attack that exposed their protected health information.
The hospital reported the breach to HHS on June 4, saying it affected 68,792 individuals. In June, the hospital said it discovered that an unauthorized individual accessed its network from Sept. 7-8, 2020, during which the hacker removed some information.
The hospital posted an online data security incident notice Oct. 7 with more information about the breach, including that the hacker used malware to remove patient information from its network. San Juan Regional said it has no evidence that any of the stolen information has been misused, but it is sending out another round of notification letters, as its previous "manual document review of the impacted files was extensive and required significant time to complete," according to its October notice.
The hospital did not pay a ransom, as it was not the victim of a ransomware attack, it said, adding that files and data on its IT system were not encrypted or held hostage for extortion. San Juan Regional took IT systems affected by the malware offline as soon as it discovered the attack and secured the network before bringing those systems back online, according to the notice.
Some of the files the hacker removed contained patient information including names, Social Security numbers, birthdates, driver's license numbers, financial account numbers and medical record details. The hospital is offering free credit monitoring services to patients whose Social Security numbers were among the files that were removed.