Palomar Health Medical Group has informed its patients that an April 2024 cyberattack may have affected their data. The company is a primary and specialty care provider to North San Diego County locals. Patients’ protected health information (PHI) may have been exposed during the cyberattack. The medical group discovered the security breach on or about May 5, 2024, and quickly took action to stop unauthorized access to its network. The company investigated the incident to know the nature and extent of the incident, which verified that hackers got access to its system between April 23, 2024 and May 5, 2024.
Palomar Health Medical Group stated the cyberattack potentially resulted in some unrecoverable files, indicating ransomware use. The cyberattack investigation confirmed the exfiltration of some files from its system. The investigative team is still reviewing those files and the process of possibly getting back the impacted files. It is expected that the complete repair of the impacted systems will be done by July 1, 2024; then again, the process of recovery is quite challenging and is taking more time than expected.
Palomar Health Medical Group cannot tell specifically the number of patients impacted or the exact types of information that were compromised or stolen during the attack; nevertheless, affected categories of data have been identified. The exposed data differs from one person to another and, according to the preliminary results of the investigation, includes patient names along with at least one of these data: address, birth date, Social Security number, medical background data, disability details, diagnostic data, treatment details, doctor prescribed drugs data, doctor data, medical record number, medical insurance data, subscriber number, medical insurance group/plan number, debit/credit card number, expiration date, security code/PIN number, email address/username and password.
The breach has impacted present and past patients of Palomar Health Medical Group. Patients of Pacific Accountable Care and Graybill Medical Group, affiliates of Palomar Health Group, were also affected. Personal notification letters will be sent by mail to the impacted persons as soon as the file analysis is finished. With this incident, it is recommended to reinforce cybersecurity by improving its defense system and giving employees refresher HIPAA training.