Utah Imaging Associates (UIA), a Utah-based radiology center, has announced a data breach affecting 582,170 people after their personal information was exposed.
According to the data breach notification sent to affected individuals, the security incident was discovered on September 4, 2021, and was remediated on the same day.
However, the initial network infiltration happened on August 29, 2021, allowing the threat actors to explore UIA’s internal systems and potentially steal data for about a week.
The subsequent forensic investigation carried out with the help of a specialized third-party cybersecurity firm revealed that the unauthorized network intruder had access to the following personal information of patients:
- First and last name
- Mailing address
- Date of birth
- Social Security number
- Health insurance policy number
- Medical information (medical treatment, diagnosis, and prescription information)
The type of information varies by individual, so not all of the above elements concern each recipient of the data breach notice.
UIA also points out that they have received no reports of this data having been leaked online, two months after the incident.
This, however, doesn’t guarantee that any stolen data isn’t privately shared among hackers on the dark web, as is commonly done with data breaches.
People who used UIA’s services in the past should take advantage of the offered 12 months of credit monitoring services through IDX and remain vigilant against social engineering attacks.
If you have noticed signs of fraud, unusual bank account charges, or suspicious emails and calls, you are advised to report it immediately by calling (833) 525-2720.
BleepingComputer has contacted UIA to learn more about the nature of the data breach, and we will update this post as soon as we have more details.
Medical centers are easy pickings
Hackers tend to target medical centers like UIA as they handle sensitive data considered valuable in the cybercrime underground.
Some notable recent incidents targeting healthcare include:
- A breach on the Weill Cornell Medicine in New York that took place last week
- A security incident that disrupted operations in the Southern Ohio Medical Center last week
- A damaging cyberattack against the Johnson Memorial Health network last month
- A large-scale attack against the health care system of the Canadian province of Newfoundland and Labrador
- A data breach affecting roughly 137,000 patients of the Urology Center of Colorado, two weeks ago
As healthcare visits require patients to provide a lot of personal information, the responsibility of securing their sensitive data can be difficult for healthcare providers.
This is especially true for smaller practices that may operate under a limited budget without a dedicated IT staff.
All businesses, including medical practices, should safeguard their data by not exposing internal services to the Internet, such as remote desktop, following good backup schedules, and conducting phishing training for their employees.