Malware Attack on Rosenbaum Dental Group and Kingman Regional Medical Center Website Misconfiguration Compromised PHI

A flaw on the Kingman Regional Medical Center (KRMC) website led to the exposure of some patients’ protected health information (PHI).

KRMC learned about the security problem on April 8, 2019 and shutdown the website while investigating the security trouble. A third-party computer forensics firm helped KRMC determine that its website configuration allowed unauthorized persons to possibly access patient data.

The website was located on an separate server, so data that could be accessed was limited to the data uploaded on the server. The information of a small subset of KMRC patients who entered personal care information into the website to access services, such as booking an appointment may have been exposed. The information included names, birth dates, and information provided associated to a health condition for which the patient is seeking healthcare services.

KMRC notified by mail the impacted patients on June 7, 2019. KRMC has taken its website offline for over 2 months now and is currently rebuilding the website with improved privacy and security controls.

A malware attack on the systems of Rosenbaum Dental Group may have allowed unauthorized persons to access some patients’ PHI. The affected system contained the following types of information: names, phone numbers, addresses, and health insurance details.

It was impossible to ascertain if patients’ PHI was compromised during the malware attack. As a safety precaution, the dental group notified by mail all patients who may have been affected and offered them one year of free membership to credit monitoring and reporting services.

Rosenbaum submitted a breach notice to the Department of Health and Human Services Office for Civil Rights, although the incident has not appeared yet on the OCR breach site. Hence, the number of individuals affected is still unclear.