Richmond University Medical Center, a 440-bed teaching hospital located on Staten Island, New York, is currently in the process of notifying approximately 674,000 individuals about a data theft incident that occurred 18 months ago. The breach in question was a result of a ransomware attack that disrupted the hospital’s IT systems for several weeks during the spring of 2023.
The medical center officially disclosed the data breach on December 19, 2024, in a notification to federal regulators. According to the hospital, third-party cybersecurity professionals were brought in to assist with responding to the incident and conducting a thorough investigation into the breach. While an initial forensic investigation initially concluded that the electronic health records system was not compromised during the attack, further examination revealed that certain files may have been accessed or removed from the network around May 6, 2023.
In response to the breach, RUMC manually reviewed the affected files to determine if any sensitive personal information or personal health information was compromised. The review process uncovered that at least one of the compromised files contained a range of sensitive data, including full names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, and medical treatment and diagnosis information.
The incident not only resulted in a data theft but also caused a widespread IT outage that impacted connectivity and access to records at RUMC’s hospital and outpatient facilities for nearly a month. Despite inquiries and requests for additional information regarding the breach, the medical center has not provided any further details or comments on why it took over 18 months to notify affected individuals following the cyber-attack.
Experts in the healthcare sector have noted that many organizations struggle with incident response, leading to significant delays between the discovery of a breach and the notification of affected individuals. The HIPAA breach notification rule mandates that covered entities must notify affected individuals within 60 days of discovering a compromised protected health information and report such incidents affecting 500 or more people to federal regulators within the same timeframe.
Paul Underwood, the vice president of security at Neovera, highlighted the challenges that organizations face in determining the impact of a breach due to a lack of skills and budget. He emphasized the importance of investing in critical cybersecurity infrastructure to expedite the process of identifying and addressing malicious activities in the event of a breach.
With RUMC already facing proposed federal class action litigation related to the data theft incident, including several lawsuits seeking financial damages for negligence in safeguarding sensitive information, the medical center may be subjected to further scrutiny and legal repercussions as a result of the breach.
In light of this incident, cybersecurity experts recommend that healthcare organizations proactively take steps to enhance their data security measures, such as minimizing data storage, isolating sensitive information, implementing a tiered infrastructure model, and prioritizing identity system security to mitigate the risk of future breaches and ensure a timely response in the event of a data theft incident.