USA: Norwood notifies OCR of data security incident
Norwood Clinic, Inc notified, on 25 February 2022, the U.S. Department of Health and Human Services' ('HHS') Office for Civil Rights ('OCR') of a data security incident affecting 228,000 individuals. In particular, Norwood outlined that it was the victim of a cyber attack that resulted in the unauthorised access of data stored on its network. However, according to Norwood, the investigation was unable to confirm the specific information that may have been accessed.
Therefore, Norwood noted that some of the compromised personal information may have included:
- patient's names;
- contact information;
- dates of birth;
- social security numbers;
- driver's license numbers;
- limited health information; and
- health insurance policy numbers.
Lastly, Norwood noted that as post-incident measures, it has taken additional measures to protect patients' information, such as:
- revising email settings and policies;
- updating and modifying network security technical hardware;
- adding additional password complexity rules;
- instituting additional secure login mechanisms for all accounts;
- offering 12 months of complimentary credit monitoring, dark web monitoring, and identity theft protection services to all potentially affected individuals; and
- notification letters will be sent to those individuals with the information to enroll in the credit monitoring services.