An additional 110,000 Connecticut residents had their personal data compromised during a six-week cyberattack of three Prospect Medical Holdings hospitals in the summer, according to a letter from their attorney to the state.
Initially, Prospect believed the data breach affected only 63 Connecticut patients, along with 24,000 employees.
In a two-page letter to the state attorney general’s office, attorneys representing the California-based hospital chain wrote that they have sent notifications by mail to 109,728 Connecticut residents, most of whom are patients.
“For patients, the information varied, but included: patient names, addresses, dates of birth, diagnosis, lab results, medications, and other treatment information, health insurance information, provider/facility name, dates of treatment, and financial information,” attorney Sara Goldstein of the Philadelphia-based law firm BakerHostetler wrote.
“For individuals affiliated with Prospect Medical, including vendors, this information may have included their names and Social Security numbers,” Goldstein said.
Goldstein said Prospect Medical is offering vendors and employees whose Social Security numbers were involved two years of complimentary credit monitoring and identity protection services through a company called IDX. Prospect officials said a “very small number” of vendors were among the 110,000 involved in the data breach. They did not provide an estimate of how many people working for vendor companies may have had their information stolen.
“On November 13, 2023, Prospect Medical began mailing letters to patients whose information may have been involved in the incident,” Prospect officials said in a statement. “For patients whose information may have been involved in the incident, Prospect Medical recommends reviewing the statements they receive from their health care providers and contacting the relevant provider immediately if they see services that they did not receive.
“Prospect Medical takes this incident very seriously and sincerely regret any concern this may cause. To help prevent something like this from happening again, Prospect Medical has implemented additional safeguards and technical security measures to further protect and monitor its systems.”
The company launched a toll-free “incident response line” to answer questions about the breach. People who may have had their information stolen can call 888-979-0012 Monday through Friday from 6 a.m. to 6 p.m. Pacific Time.
Prospect is required by state law to update the attorney general’s office periodically after a cyberattack occurs.
“The Office of the Attorney General’s Privacy Section is reviewing the supplemental notification just provided by Prospect as well as its information security practices,” spokeswoman Elizabeth Benton, spokeswoman for the attorney general’s office, said Wednesday.
The cyberattack occurred in early August and lasted nearly six weeks, crippling services at Manchester Memorial Hospital, Rockville General Hospital and Waterbury Hospital.
The cyberattack forced the hospitals to divert ambulances away from their emergency rooms, caused havoc with reading X-rays and electrocardiograms and crashed their payment system forcing them to seek a one-time $7 million upfront Medicaid payment from the state.
This is the fourth update that company has given the attorney general, although the last one was on Sept. 23.
At that time Prospect believed about 24,000 Connecticut residents may have had their data stolen although at that time the company believed most of them were current or former employees.
Prospect also told the attorney general’s office at the time 63 Connecticut residents who were patients at Prospect hospitals in California may have had their information breached, including patient names, health insurance and financial information. Of those breaches, 13 had Social Security numbers involved, according to the Attorney General’s office.
In an internal email to employees in September, Prospect said the investigation so far showed that an “unauthorized party gained access to our IT network between the dates of July 31 and August 3 … The unauthorized party accessed benefits administration files that contain information pertaining to current ECHN and Waterbury HEALTH employees and certain former employees.”
Prospect said its investigation of the cyberattack is still ongoing and the company has hired Kroll, a New York City based cybersecurity firm, to conduct it.
“The Office of the Attorney General’s Privacy Section is reviewing the supplemental notification just provided by Prospect as well as its information security practices,” Benton said.