More than three weeks after Palomar Health Medical Group detected “suspicious activity” within its network, patients still don't know whether their personal data was leaked.
“Nobody has said anything to me about what happened, what they've done, what they've fixed. Nothing,” patient Vernon Weaver told us on May 7. “They know my name, my address, my phone number, my blood type, my date of birth, my Social Security number, my next of kin.”
Weaver said PHMG sent an update on May 21, but again, there was no mention of any data having been potentially leaked.
Palomar Medical Centers in Poway and Escondido were not affected by the cybersecurity incident.
“Unfortunately, these incidents are ransomware and will eventually come to light,” said Sai Huda, CEO of CyberCatch.
PHMG has not said whether it was a ransomware attack, but based on the notification sent to patients and Huda's experience dealing with cybersecurity emergencies, he suspects it may have been.
Hooda said the lack of news that data may have been leaked may be good news for patients.
“If we had detected the ransomware earlier, it may have infected fewer systems instead of many, and no data may have been leaked.”
Whatever is going on, the Identity Theft Resource Center says patients have a right to know more by now.
“Companies have ample time to obtain at least basic information before sending most data breach notifications,” said James E. Lee, chief operating officer at the ITRC.
Lee said he was concerned that, nearly a month later, patients still don't know what data may have been leaked.
“Be as transparent as you can today and explain the limitations to people. Don't leave them in an information vacuum so they don't understand why you can't be more upfront.”
Lee says transparency around data breaches across the country has declined in recent years. In 2021, 100% of data breach notifications included information about what happened, what information was compromised, and how many people were affected. Since then, that level of transparency has dropped to about 50% in 2023 and 68% so far in 2024, he says.
“Continuous communication is always going to be valuable, even if there isn't necessarily a lot of new information, just reiterating to people that there's a lot they can do,” Lee said.
We have conveyed the ITRC's concerns to PHMG, who have responded that they have nothing new to add to the statement they sent us three weeks ago.
The statement read: “Third-party experts are working with Palomar Health Medical Group to investigate the cause of this outage, determine the impact on our systems, and restore full system functionality as quickly as possible. We are also investigating how this incident may have affected the security of data in our environment.”
Again, PHMG did not describe what happened as a data breach or ransomware attack. Either way, CyberCatch agrees with the ITRC that there needs to be more transparency with patients.
“We should not wait for a long time and tell everything. We should tell as things develop. I think that's good transparency,” Hooda said.
The ITRC says that just monitoring your credit is no longer enough, because you'll be in for an uphill battle if you find out someone has stolen your identity. You're better off proactively freezing your credit with the three major credit bureaus to prevent someone from opening new accounts in your name. You can temporarily lift the freeze if you need to apply for credit.
Use the link below to freeze your credits for free:
Equifax
Experian
Trans Union
