Personal info of more than 500 patients taken during Farmington hospital data breach

Hospital states there's no evidence that personal information has been misused

Joshua Kellogg
Farmington Daily Times
  • San Juan Regional Medical Center sent out letters dated June 4 to patients stating a “recent data security incident” may have involved their personal information.
  • Patient account numbers, medical record numbers and medical diagnosis/medical treatment information was obtained.
  • The information was taken from billing records or documents related to billing.

FARMINGTON — A Farmington hospital has reported a data breach to its network in Fall 2020 that impacted more than 500 patients whose personal information was taken.

The hospital said in a statement there is no evidence of any personal information being misused from the data breach.

San Juan Regional Medical Center sent out letters dated June 4 to patients stating a “recent data security incident” may have involved their personal information.

San Juan County COVID-19 vaccine tracker:45% of people fully vaccinated

The letter states on Sept. 8, 2020, the hospital identified unauthorized access to its computer network.

Patient account numbers, medical record numbers and medical diagnosis/medical treatment information was obtained.

“San Juan Regional Medical Center is committed to maintaining the privacy of personal information in their possession and have taken many precautions to safeguard it,” the hospital said in an emailed statement.

San Juan Regional Medical Center at 801 W. Maple St. in Farmington.

The impacted information of more than 500 patients included:

  • Names
  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers
  • Financial account numbers
  • Health insurance information
  • Medical information

The information was taken from billing records or documents related to billing. The hospital’s electronic medical record system was not impacted.

Those billing records sometimes contain information tied to a patient’s treatment or medical diagnosis. The patient account number is an internal number that is used to match a patient with billing services.

“To date, we have no evidence that any of the personal information has been misused. The notification letters were sent to make individuals aware of the incident and provide guidance on what individuals can do to further protect themselves,” the hospital said in a statement.

More:State agency reports positive economic news for San Juan County

A third-party cybersecurity team of professionals investigated and completed an analysis of the attack. It was determined an “unauthorized individual” removed information from the network on Sept. 7 and 8, according to the letter.

A manual review of the files removed took place and it revealed on April 6 that those files included some patients' personal information.

The letters sent out to patients were to make them aware of the incident and provide guidance on what they can dot further protect themselves.

In response to the incident, the hospital has invested in additional safeguards to its network.

When asked why the manual review of documents took several months, the hospital said some of the documents were “dense and unformatted.”

“(San Juan Regional Medical Center) document review was thorough and worked to extract all potentially sensitive data, even if the formatting of the documents, or lack of formatting, would have made it difficult if not impossible for anyone to collect any usable data from the document,” the hospital said in a statement.

'Data genocide':Why the true number of American Indian and Alaska Natives killed during the pandemic may n

Patients who received letters were provided information on how to place a fraud alert and security freeze on their credit reports.

It also included information on how to contact law enforcement if suspicious activity is found or if patients believe their information is being misused.

Maurice Cheeks is one of the patients who received a letter about their information being taken during the data breach.

He told The Daily Times he has not run into any issues yet with anyone using his personal information, but he has concerns about it being used in the future and how steps to protect himself could end up hurting him.

“They had a whole year to use everybody’s information and I’m surprised nothing happened yet,” Cheeks said.

He is worried if he took steps like freezing his credit report it could harm his ability to apply for jobs which required a credit check.

Cheeks has been worried that he’ll find out his information taken during the data breach is being used and that it harms his ability to apply for a mortgage or anything requiring his credit history in the future.

Joshua Kellogg covers breaking news for The Daily Times. He can be reached at 505-564-4627 or via email at jkellogg@daily-times.com.

Support local journalism with a digital subscription: http://bit.ly/2I6TU0e