Several California medical groups have sent security breach notification letters to more than three million patients alerting them that crooks may have stolen a ton of their sensitive health and personal information during a ransomware infection in December.
According to the Southern California health-care organizations, which include Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical, the security breach happened around December 1, 2022.
“After extensive review, malware was detected on some of our servers, which a threat actor utilized to access and exfiltrate data,” according to a notice posted on Regal’s website and filed with the California Attorney General’s office [PDF].
The medical outfit said it hired third-party incident responders to assist and worked with security vendors to restore access to its systems and determine what data was impacted.
Judging from the filings with various state and federal agencies, the news wasn’t good.
Extortionists stole, among other things, from the medical groups: patients’ names, social security numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and phone numbers.
And according to the US Department of Health and Human Services, which is investigating the database breach, it affected 3,300,638 people.
“Regal is taking steps to notify potentially impacted individuals of this breach to ensure transparency,” the company’s notification stated, adding it notified law enforcement and regulatory agencies about the ransomware attack.
Regal did not immediately respond to The Register‘s questions, including