Fraud Management & Cybercrime , Healthcare , Industry Specific

California Medical Group's Ransomware Breach Affects 3.3M

Regal Medical Group Says Patients of Several Affiliates Are Among Those Affected
California Medical Group's Ransomware Breach Affects 3.3M

More than 3.3 million southern Californians had their personal health information stolen during a ransomware attack, reports Regal Medical Group, one of the largest Southland medical groups.

See Also: Survey: State of Security Automation in Financial Services

Regal reported the hacking incident on Feb. 1 to the Department of Health and Human Services as affecting several of its affiliated medical groups, including Lakeside Medical Organization and Affiliated Doctors of Orange County and Greater Covina Medical Group.

The medical group of more than 3,000 primary care doctors says it became aware of the breach on Dec. 8, and the data compromise occurred about a week earlier.

Regal employees had noticed difficulty in accessing some of the organization's servers, the notice says. After an extensive review, malware was detected on some of Regal's servers, which a threat actor used to access and exfiltrate data, the notice says.

Patient data potentially compromised in the incident includes names, Social Security numbers, addresses, birthdates, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and phone numbers.

The organization is offering affected individuals one year of complimentary credit monitoring, and it says it has notified law enforcement about the incident.

Regal did not immediately respond to Information Security Media Group's request for additional information about the incident.

Growth Pains

Regal is among legions of healthcare sector organizations that have grown in recent years through mergers and acquisitions, as well as through affiliations with other medical entities, which potentially contributed to its data security incident affecting so many patients, some experts say (see: Mergers and Acquisitions in Healthcare: Security Risks).

"The entire organization is going to be at risk once a connected network is in place. This is why understanding the security stance of a potential acquisition before implementation to the network is so important," says Susan Lucci, senior privacy and security consultant at consultancy tw-Security.

The Regal incident is by far the largest posted so far in 2023 on HHS OCR's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.