Posted On December 11, 2022 Consumer Privacy & Data Breaches
December 11, 2022 – San Gorgonio Memorial Hospital (“SGMH”) filed notice of a data breach with the California Attorney General’s office after learning that an unauthorized party was able to access and remove certain files from the company’s computer network that contained confidential patient information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and protected health information. After confirming that consumer data was leaked, SGMH began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the SGMH data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from San Gorgonio Memorial Hospital.
The available information regarding the San Gorgonio Memorial Hospital breach comes from the company’s filing with the Attorney General of California as well as a notice posted on the company’s website. According to these sources, on November 10, 2022, SGMH identified unusual activity within its computer network. In response, the company shut down the affected systems and began working with third-party data security specialists to learn more about the nature and scope of the incident, as well as whether any patient information was leaked as a result.
The hospital’s investigation confirmed that an unauthorized party accessed its network between October 29, 2022 and November 10, 2022 and that, during that time, accessed some of the documents on its computer system. Further investigation determined that some of the compromised files contained confidential patient information.
Upon discovering that sensitive patient data was accessible to an unauthorized party, San Gorgonio Memorial Hospital began to review the compromised files to determine what information was leaked and which consumers were affected. While the breached information varies depending on the individual, it may include your name, Social Security number, driver’s license number, address, date of birth, and protected health information. The protected health information subject to unauthorized access possibly includes information related to your medical record number, visit ID number, health insurance policy and claims, and clinical information, such as diagnosis, treatment information, date of service, provider name, and department name.
On December 7, 2022, San Gorgonio Memorial Hospital sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. So far, SGMH has not released the total number of victims impacted by the recent data breach.
Founded in 1951, San Gorgonio Memorial Hospital is a full-service hospital located in Banning, California. The hospital serves the Riverside County area, providing a wide range of routine and emergency services, including behavioral health, cardiac rehabilitation, clinical laboratory, diagnostic imaging, emergency services, hospitalist, intensive care, nutritional services, obstetrics, orthopedic services, physical therapy, social services, and surgery services. San Gorgonio Memorial Hospital employs more than 594 people and generates approximately $44 million in annual revenue.
As noted above, the San Gorgonio Memorial Hospital data breach leaked several different types of patient information, including their protected health information. Protected health information, or PHI, can refer to any information, such as test and laboratory results, medical history information, demographic information, insurance information, and mental health information that healthcare providers collect during the course of a patient’s treatment.
Of course, not all healthcare-related information is considered protected healthcare information—only data that contains an identifier is considered PHI. This is because, without an identifier, there is no way for anyone to connect data back to a specific patient. There are 18 different identifiers outlined in HIPAA, including a patient’s:
The collection and use of protected health information is controlled by the Health Insurance Portability and Accountability Act of 1996, more commonly referred to as HIPAA. One of the most important provisions of HIPAA is the “privacy rule,” which “protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” Simply put, medical providers cannot disclose any information that falls under the Privacy Rule without the patient’s consent or as otherwise authorized by the Privacy Rule. And importantly, even an inadvertent disclosure of patient data may still violate the privacy rule.
Health information is very personal and based on this reason alone, healthcare data breaches are concerning. However, aside from the privacy concerns, healthcare data breaches also put patients at risk of experiencing financial—and even physical—harm.
In the worst-case scenario, a hacker who steals your protected health information will sell it on the dark web to another criminal who is looking to obtain free medical care. Once a criminal purchases your information, they essentially steal your identity, going to the doctor’s office pretending to be you. This not only leaves you responsible for their medical bills, but it can also lead to misleading and incorrect information being included in your medical records; for example, if the criminal who obtains care in your name gives doctors their own medical history or list of current medications.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the SGMH data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the “Notice to Patients” posted on the San Gorgonio Memorial Hospital website (a link to the actual notice can be found here):
Dear [Redacted],
San Gorgonio Memorial Hospital (“SGMH”) is committed to protecting the security and privacy of our patients’ information. This notice concerns a cybersecurity event that may have involved some of that information.
On November 10, 2022, we identified unusual activity within our computer network. We immediately initiated our incident response protocols, which included isolating and shutting off select systems. We also began an investigation with the assistance of a third-party forensic firm. The investigation determined that an unauthorized party accessed our network between October 29, 2022 and November 10, 2022 and, during that time, accessed some of the documents on our system. On November 14, 2022, we discovered that some of those documents contained patient information.
Our investigation into the documents involved in this incident is ongoing. However, at this time, we have identified documents containing patient names, addresses, dates of birth, medical record numbers, visit ID numbers, and/or clinical information, such as dates of service, provider names, and/or department names. In some instances, patients’ Social Security numbers, driver’s license numbers, financial account information, and/or health insurance information may have also been reflected in the documents involved.
On December 7, 2022, we mailed notification letters to individuals whose information was contained in the documents initially identified as impacted. Upon completion of our ongoing review, we will mail notification letters to additional individuals whose information is contained in affected documents and for whom we have sufficient contact information. We have also established a dedicated, toll-free call center to answer patients’ questions. If you have questions about the incident, please call (855) 504-4431, available Monday through Friday, from 6:00:00 a.m. to 3:30 p.m. Pacific Time. For those whose Social Security numbers and/or driver’s license numbers are identified in the affected documents, we are offering complimentary credit monitoring and identity protection services. We also note that it is always a good idea to review the statements you receive from healthcare providers and health insurers. If patients see services that they did not receive, they should contact the provider or insurer immediately.
To help prevent something like this from happening again, we have implemented additional safeguards and technical security measures to further protect and monitor our IT system.
We sincerely regret any concern or inconvenience this incident may cause. We are committed to the privacy and security of patient information and look forward to continuing to serve our community.
