North Carolina-based Central Dermatology Center is notifying more than 76,000 patients that one of its password protected servers had been compromised by malware for roughly two years, and their personal information may or may not have been accessed.
How many victims? 76,401.
What type of personal information? Names, addresses, phone numbers, dates of birth, Social Security numbers, billing and diagnostic codes, insurance companies, insurance co-payment information, healthcare providers, employer information, treatment dates, account balances, email addresses, and sex and race information.
What happened? Malware was installed on a Central Dermatology Center server that contained the personal information.
What was the response? The malware was removed and the server has been disconnected from Central Dermatology Center's system. All potentially impacted patients are being notified, and offered free credit monitoring and identity theft protection services.
Details: Central Dermatology Center became aware of the incident on Sept. 25. The malware compromised the password protected server on or about Aug. 9, 2012 – safeguards were in place, including software designed to prevent malware infections. Central Dermatology Center notified patients in 50 states and 11 countries.
Quote: “Central hired a prominent forensics security expert firm and an information technology firm that investigated this incident, reviewed all systems, and Central has improved our security wherever necessary to help protect our community,” according to a statement by Greg Catt, practice administrator at Central Dermatology Center & Carolina Medi-Spa, in a notification posted to the Central Dermatology Center website.
Source: centralderm.net, “Central Dermatology Center Notifies Patients, Offers Protection, Following Possible Data Security Incident,” Nov. 7, 2014; an email correspondence with a Central Dermatology Center spokesperson.