Data breach at US healthcare services firm went undetected for three weeks

US healthcare services firm National Cardiovascular Partners (NCP) has begun notifying thousands of patients about a data breach.

The data of thousands of patients held within an Excel spreadsheet was potentially compromised after attackers hacked into the email account of an NCP worker in late April.

The breach took place on April 27 but wasn’t detected until nearly a month later, on May 17. NCP responded by securing the compromised email account before calling in external cybersecurity experts to mop up after the incident.

As part of its breach response, NCP sought to identify if any personal information had been exposed. It took a full month to verify that an Excel spreadsheet held on the compromised email account posed the serious risk that it feared.

The information located in the mailbox included names, mailing addresses, and more – information that might be readily abused by would-be identity thieves or to mount closely targeted phishing trawls.

In its breach letter to patients, NCP seeks to play down potential concerns by stressing it hasn’t seen any actual abuse.

“All available evidence suggests that the unauthorized individual’s purpose was to attempt to commit financial fraud against NCP – not to seek and obtain any personal information about the Clinic’s patients or providers,” a sample letter (PDF) states.

“Importantly, there is no evidence that the unauthorized person actually viewed any emails containing your information.”

Identity theft protection

More than 78,000 potentially impacted patients are being alerted to the security breach, according to a filing on the US Department of Health and Human Services’ Breach Portal.

As a precaution, NCP is offering to gift patients a one-year membership of Experian IdentityWorks, an identity theft protection service.

The Daily Swig asked NCP to clarify the nature of the attempted scam against it, as well as whether or not financial or medical data was included in the exposed records.

We’ll update this story as and when more information comes to hand.

NCP specialises in handling IT services for outpatient cardiac catheterization and vascular labs. Physicians handle the medical side of running a heart card clinic while NCP manages the initial set-up and ongoing back office and administration of each center.

RELATED Maryland elderly healthcare provider hit by data breach impacting 47,000 individuals