Getty Images/iStockphoto

More Than 600K Patients Impacted by UNM Health Data Breach

UNM Health discovered a data breach that impacted over 600,000 patients, possibly exposing personally identifiable information.

University of New Mexico (UNM) Health announced that it fell victim to a data breach that may have exposed the personally identifiable information (PII) and protected health information (PHI) of over 600,000 patients. The health system’s impacted hospitals include UNM Medical Group, UNM Sandoval Regional Medical Center, and UNM Hospital.  

The breach occurred on May 2, but UNM Health was not aware of the incident until June 4. UNM Health began sending letters to impacted patients in early August. The incident impacted UNM Health’s network server and affected 637,252 individuals, according to HHS’s Office for Civil Rights (OCR).

An unauthorized third party gained access to the health system’s network and may have obtained files that included names, addresses, medical record or patient identification numbers, dates of birth, Social Security numbers, clinical information, and health insurance information. The third party did not access UNM Health’s EHR system.

“UNM Health is mailing notification letters to patients whose information may have been involved in this incident and is also providing individuals whose Social Security number was involved with complimentary credit monitoring and identity theft protection services,” the announcement stated.

“Patients are encouraged to review statements from their health insurer and health care providers, and to contact them immediately if they see any services they did not receive.”

It is unclear whether ransomware was involved in the cybersecurity incident. The announcement did not mention any impact on patient care.

“UNM Health takes this issue very seriously and is taking steps to help ensure something like this does not happen again,” the announcement continued.

“UNM Health has provided additional education to staff and is enhancing the security of its systems and the information it maintains.”

In other recent healthcare data breach news, Minnesota-based Electromed, a company that manufactures airway clearance devices, sent a notice to 47,000 individuals informing them of a data breach that may have exposed protected health information (PHI).

The breach impacted Electromed’s customers, employees, and some third-party contractors. Names, mailing addresses, medical information, health insurance information, and Social Security numbers were exposed in some instances.

Memorial Health System, based in Ohio and West Virginia, also suffered a data breach recently that resulted in emergency room diversions and appointment cancellations. The cyberattack caused disruptions in clinical and financial operations, and systems remain down. The breach did not impact employee or patient information.

Next Steps

Dig Deeper on Healthcare data breaches