The UNM Health Sciences Center (HSC) began notifying about 1,900 patients on Feb. 23 that a list containing some limited personal information about them was on two computers that were the subject of a serious cyber attack by two very sophisticated types of malware. We notified all people who may have been affected by this problem by letter.
On February 8, 2010, an information technology (IT) security association of which the HSC is a member advised us that the HSC had been subjected to the malware attack, although there is no indication HSC was specifically targeted. Because HSC’s IT security system is very robust, our system was not penetrated, and most importantly, neither were our electronic medical records; however, two stand alone computers in a small, off-site clinic did become infected with the malware. The file contained the names and other limited personal information of approximately 1,900 patients treated in that facility between 2007 and 2009. The file did not contain social security numbers or credit card information.
We conducted a detailed analysis of the cyber attack and although we cannot tell for sure whether this file was harvested for its data, we determined it would be appropriate for us to disclose this event to the patients whose names were in the file. Furthermore:
• Protecting the security and privacy of health information is important to us.
• We will continue to take steps to secure computers from these types of problems.
• All information on that computer has been removed. The computer is no longer used.
• The information has now been secured.
The HSC works every day to ensure the privacy and confidentiality of the patient health information it maintains on its IT systems.
HSC’s IT security team has robust security systems in place for all HSC systems to ensure that we ward off further cyber attacks such as this, and we continuously endeavor to find ways to assess, improve and enhance those security systems against the latest advanced cyber threats.