Palomar Health Medical Group recently told its patients that a wide range of their personal information may have been compromised when an “unauthorized actor” accessed “certain files” on its digital network. But, two months in, the North County medical provider said it still “is not able to identify the specific individuals and information that may have been impacted.”
Palomar first detected the breach, said to have spared its hospitals in Escondido and Poway, on May 5, but indicated this week that its ongoing investigation has found that the unauthorized digital intruder first was inside its defenses on April 23 and the infiltration continued until May 5 when the medical group “identified suspicious activity on certain computer systems within its network.”
That activity, the latest statement indicates, may have included copying files and also “may have caused certain files to become unrecoverable.”
Palomar Health, which owns the group and its affiliate, Graybill Medical, which is also affected, said that the medical group “is continuing its efforts to restore all files and identify the specific individuals and information that may have been impacted so it can provide individualized notice with additional information when its investigation is complete.”
For the first time, Palomar listed which types of information may have been compromised. That information, the medical group said, “could include name, address, date of birth, Social Security number, medical history information, disability information, diagnostic information, treatment information, prescription information, physician information, medical record number, health insurance information, subscriber number, health insurance group/plan number, credit/debit card number, security code/PIN number, expiration date, email address and password, and username and password.”
What exactly is meant by prescription treatment and diagnostic information is not specified. Health care data breaches, including those that occurred recently at Scripps Health and UC San Diego Health, have involved administrative systems where information necessary to bill health insurance companies for services rendered are stored. But the truly sensitive stuff — patient charts, medical test results, patient progress notes — are generally stored in an organization’s electronic medical record.
Palomar did not respond Friday when asked whether the medical group breach extended to those more clinical details.
It would appear that the medical group’s operations continue to be significantly impacted by the network incursion.
Eric Goldy of Valley Center said Friday afternoon that calling in to make appointments or check up on the details of an ongoing course of treatment continues to get nowhere.
“You still can’t get through to anybody on the phone,” he said. “Everything goes to an answering service, and they say they’ll get back within 24 or 48 hours, and you hear nothing back.”
He said better results come from showing up in person with paper printouts of required information. But that process, he added, continues to be significantly more labor-intensive than it was before the attack.
“With bloodwork, you know, normally they just upload the results into your digital file and your doctor has it immediately, but they don’t have that capability anymore, at least not that I’ve seen,” Goldy said. “So, a few days after the bloodwork is done, I’ll go back down to hand-deliver it to the office.”
Overall though, he added that he believes Graybill has done a decent job scheduling a minor surgery he needs. Some might wonder, given months of ongoing delays, why he does not simply give up and find a different provider?
He said he has seen his current Graybill physician for 15 years and, during that time, he managed to lose 100 pounds working together with this trusted medical advisor.
“I’ve had a good relationship with him; he’s been very helpful, not just writing me prescriptions but really taking an interest in my health like a doctor should,” Goldy said. “I just like him, and I trust him, and I’m willing to go a little longer hoping that this gets taken care of before wanting to start over elsewhere.”
