Breach Notification , Governance & Risk Management , Incident & Breach Response

New Mexico Health Breach Affects Over 637,000

Incident Ranks Among the Largest Posted on Federal Tally This Year
New Mexico Health Breach Affects Over 637,000

Albuquerque, New Mexico-based UNM Health has reported to federal regulators a hacking incident that is among the largest health data breaches posted to the Department of Health and Human Services' "wall of shame" so far in 2021.

See Also: Cyber Insurance Assessment Readiness Checklist

The breach was reported to HHS on Aug. 3 as affecting over 637,300 individuals and involving a network server, according to the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

UNM Health includes UNM Hospital, UNM Medical Group and UNM Sandoval Regional Medical Center.

In an Aug. 3 breach notification statement, the organization says that on June 4, it learned that an unauthorized third party had gained access to its network and may have accessed or obtained certain files from its systems on May 2.

"We reviewed these files and determined that some patient information was contained within them, such as names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, and/or limited clinical information regarding care received at UNM Health," the statement notes. In some instances, patients’ Social Security numbers were also involved, the statement adds.

UNM Health says its electronic medical records were not accessible to the unauthorized party.

The organization says it is offering prepaid credit monitoring and identity theft protection services to individuals whose Social Security numbers were affected.

UNM Health notes that it has provided additional education to staff and is continuing to take steps to enhance the security of its systems and the information it maintains.

In a statement, UNM Health tells Information Security Media Group: "Due to our IT team's quick action, UNM Health was not a victim of ransomware and patient care was not impacted. We continue to work with federal and local law enforcement and are taking steps to enhance the security of our systems. At this time there is no indication any of our patients’ information has been misused."

ID Theft Risk

The UNM Health breach is significant because the data exposed raises the risk of identity theft, says Jim Van Dyke, senior vice president at security firm Sontiq, which analyzes the type of information that gets exposed in breaches.

The data exposure "could enable potential identity scams or other types of fraud, if used to contact the affected breach victims by a criminal posing as a trusted authority in an attempt to gain additional identity credentials - all on the path to committing other types of identity theft or fraud," he says.

New Mexico residents are facing another healthcare data breach with serious identity protection risks, he adds. Earlier this year, Rehoboth McKinley Christian Health Care Services, also in New Mexico, reported to HHS OCR a ransomware-related incident affecting 207,000 individuals.

Van Dyke says that incident – which exposed 12 identity credentials - is one of the riskiest breaches of 2021, so far. "Many victims of healthcare data breaches mistakenly believe that criminals will limit their misuse of compromised data to healthcare-related fraud and scams. What we've found is that because such sensitive data is often exposed, these patients are at a high risk of numerous identity threats."

Largest Breaches

As of Tuesday, the UNM Health incident was the 11th-largest health data breach posted to the HHS OCR website so far this year.

Each of the 16 largest breaches posted to the federal tally so far in 2021 were reported as hacking incidents.

The biggest of those incidents was reported in January by Tallahassee, Florida-based Florida Healthy Kids Corp., an organization that administers a children’s dental and health insurance program in Florida.

That breach, affecting 3.5 million individuals, involved a vendor - Jelly Bean Communications Design - that hosted Florida Healthy Kids' website and apparently failed to address vulnerabilities over a 7-year period. The incident resulted in the exposure of personal information. Florida Healthy Kids also reported that the hackers had tampered with some of that data.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.