Palomar Health Medical Group (PHMG) on Wednesday issued a notice that patients' information may have been compromised by a recent data breach.
In an email to KPBS, PHMG said the breach happened between April 23 and May 5. The email sent on behalf of PHMG and its affiliates, Graybill Medical Group Inc. and Pacific Accountable Care, said hackers gained access to patient names, dates of birth, Social Security numbers, medical history and health insurance information.
This comes on the heels of a class-action lawsuit that was filed on behalf of a patient on June 24. His attorneys allege negligence on PHMG’s part, a violation of the state’s medical information confidentiality act, customer records act and the right to privacy, among other claims. The suit is seeking monetary damages.
Since May 5, PHMG's computers have been down and doctors cannot access patient records, including prescription information.
Palomar Health said it doesn't know how many patients' records were compromised and that hackers appeared to have downloaded and deleted some files, which may be "unrecoverable."
Tony Anscombe, a cybersecurity expert at ESET, a global cybersecurity company in San Diego, said that's quite alarming. He said PHMG patients should assume their data has been breached.
“I'd also go back and check medical insurance claims that nobody's been making fraudulent claims in the last two months on your insurance policy," Anscombe said. "I'd lock my credit file. Now, what that means is, nobody can actually use your social security number or your personal information to gain access to credit.”
Because hackers were able to download and delete records, University of San Diego cybersecurity professor Nikolas Behar said the hack could be a case of double extortion ransomware.
"That leads me to believe that the attacker was attempting to delete the data and then say, 'Hey, if you want your data back. you're gonna have to pay us,'" he said. "And then on top of that, once they get the data back, then they'll say, 'Okay, if you don't want us to release the data, then you have to pay us again,' and that's becoming very, very common.”
Behar said small health care systems like Palomar Health do not have the financial resources or manpower to recover the data quickly.
PHMG said anyone with questions about the breach can call (888) 829-5736 between 9 a.m. and 9 p.m. Eastern time, excluding holidays. They may also write to 15611 Pomerado Road, Poway, CA 92064.