Pasquotank-Camden Emergency Medical Services (PCEMS) has contacted more than 20,000 patients that their data may have been compromised during a data breach.
Hackers exploited a vulnerability in its TriTech billing system on December 15, 2019. The server which contained the protected health information (PHI) of 20,420 patients, with some files dating back as far as 2005. The hackers designed their attack such that they appeared as a regular user to PCEMS’s IT staff, so the attack was not immediately detected.
The types of information stored on the server included names, birth dates, Social Security numbers, and some medical information PCEMS had collected.
PCEMS contracted Soundside Group, a third-party cybersecurity company, to investigate the attack. The investigators discovered that the hacker deleted some data during the attack, but did not copy or download any files.
PCEMS informed the Sheriff of Pasquotank County and federal law enforcement agencies of the attack. Law enforcement conducted their own investigation into the breach and stated that they believed that the hacker was based outside of the US.
Per HIPAA’s Breach Notification Rule, notification letters have been sent to all affected patients. PCEMS have not found any evidence that the hacker has used any patient information for nefarious purposes. However, since data theft could not be ruled out, PCEMS has offered all affected patients 12 months of free credit monitoring and identity theft protection services through ID Experts.
A $1,000,000 insurance reimbursement policy covers affected patients. Patients must register for these services by May 26, 2019.
PCEMS is now reviewing its cybersecurity protections and is taking steps to enhance cybersecurity to prevent similar breaches in the future. PCEMS informed TriTech of the issue, and the company has since rectified the vulnerability.
It is possible that up to 40,000 patients were affected by the breach, according to DailyAdvance.com, a local news outlet.