Half a million medical patients just had their addresses, dates of birth, SSNs and more stolen by hackers — how to stay safe

News
By published

From targeted phishing attacks to medical identity theft, there’s a lot hackers can do with this sensitive personal and financial data

A hacker typing quickly on a keyboard
(Image credit: Shutterstock)

Having your personal or financial information stolen by hackers is bad enough as it is, but we’re now seeing an uptick in healthcare data breaches. In addition to all these details, cybercriminals are also getting their hands on medical records, lab results, and more.

Just the other day, I covered a data breach at a health IT company in which thousands of children had their health information exposed. Now, a Maryland-based clinic has revealed that it suffered a similar breach back in October of this year.

As reported by Cybernews, the Center for Vein Restoration (CVR) with 110 locations across the U.S. fell victim to a data security incident that exposed the protected health information (PHI) of patients as well as the personal information of both current and former employees. While vein restoration is a more specialized medical procedure, approximately 445,000 people’s data has now been exposed online.

Here’s everything you need to know about this latest data breach including what to do next if you’re a patient of the Center for Vein Restoration along with some tips and tricks to help you stay safe from hackers after a major security incident like this one.

Stolen medical data

According to a data breach notice (PDF) on the Center for Vein Restoration’s website, on October 6, unusual activity was detected on its systems. After securing its systems and notifying law enforcement about the breach, the center initiated an internal investigation and then hired a third-party forensic firm for additional assistance.

The investigation revealed that while the unauthorized attackers were in CVR’s IT environment, they may have accessed files that included patient names along with some or all of the information listed below:

  • Addresses
  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers
  • Medical record numbers
  • Diagnosis’
  • Lab results
  • Medications
  • Treatment information
  • Health insurance information
  • Provider names
  • Dates of treatment
  • Financial information

As for past and current employees, information related to their employment may have been obtained by the hackers responsible for this data breach.

With all of this information in hand, hackers can launch a range of different attacks and scams against individuals impacted by this breach from targeted phishing attacks using this stolen info as a lure to identity theft. However, since they also obtained medical record numbers, lab results, details on treatments, and health insurance info, the hackers behind this breach could also commit medical identity theft wherein they submit forged claims to a person’s insurance provider or even to Medicare.

What to do next after a data breach

A data breach warning notification on a laptop

(Image credit: Shutterstock)

If you or someone you know has received treatment from the Center for Vein Restoration, you’ll very likely be receiving a data breach notification in the mail. Besides letting you know that a security incident occurred, these notices can also provide useful info on the steps you should take next and what the company involved in a data breach is doing to keep its customers (or patients) safe.

While some companies deny that a breach even took place or fail to provide victims with some form of protection afterward, the Center for Vein Restoration is taking this matter very seriously. Oftentimes with other data breaches, we learn details about what actually happened through a filing with a state’s Office of the Attorney General (usually Maine). In this case, CVR has a section right on its home page which is where I found the Notice of Data Security Incident linked above.

CVR is providing affected individuals with access to one of the best identity theft protection services through TransUnion. However, the notice on its site doesn’t explain the duration of these services but typically, companies provide either a one-year or two-year subscription. The duration will most likely be included in the official data breach notification letter you’ll receive in the mail if you’re impacted by this breach.

Just like with other data breaches, you’re going to want to carefully review all of your financial and health statements for irregularities which could point to fraud or identity theft. The same goes for your credit reports too though. It could also be worth placing a fraud alert or a security freeze on your credit so that hackers can’t take out new credit cards or loans in your name.

We could potentially learn more details at a later date but for now, CVR has taken all of the necessary steps on its end by informing patients and providing them with identity theft protection. However, you will need to sign up for this service and remain vigilant when it comes to checking all of your accounts for suspicious activity at least for the time being.

More from Tom's Guide

Anthony Spadafora
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.