USA: South Denver Cardiology notifies OCR of data security incident
South Denver Cardiology Associates PC notified, on 4 March 2022, the U.S. Department of Health and Human Services ('HHS') Office for Civil Rights ('OCR') of a data security incident affecting 287,652 individuals. In particular, South Denver Cardiology stated that on 4 January 2022 it identified unusual activity within its computer network and immediately initiated its incident response process which included securing its network and shutting off select computer systems.
In addition, South Denver Cardiology stated that it notified law enforcement, began an investigation, and engaged a computer forensics firm to investigate the scope of the incident, which revealed that an unauthorised person accessed its network between 2 January 2022 and 5 January 2022, and, during that time, accessed certain files stored on its systems which contained patient information, which may have included patients' names, dates of birth, social security numbers and drivers' licence numbers, patient account numbers, health insurance information, and clinical information, among others.
Moreover, South Denver Cardiology stated that while it has no indication that the individuals' information has been misused as a result of the incident, as a precaution, it nevertheless began mailing letters to its patients which include guidance on how patients can protect their information as well as details on its complementary credit monitoring and identity protection services.