University Urology

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

University Urology in New York City experienced a significant data breach, which was first detected due to suspicious activity within their computer systems on February 1, 2023. A thorough forensic analysis was conducted by third-party cybersecurity experts, concluding on March 3, 2023, that files within the network had been accessed. A manual review of these files was completed by March 30, 2023, and notification letters were sent out to the affected individuals on May 1, 2023[1][3].

The breach affected 56,816 individuals, and the types of exposed information varied from person to person. Potentially compromised data included names, dates of birth, addresses, medical conditions, medical treatments, test results, prescription information, health insurance details (including subscriber ID numbers and health plan beneficiary numbers), billing/invoice information, and usernames/email addresses along with passwords/security questions and answers that would allow account access[1][3].

In response to the breach, University Urology deployed Sentinel One agents for 30 days to monitor for malicious activity and indicators of compromise. They have confirmed that all methods of persistence, unauthorized remote access tools, and malicious files have been removed from their systems. Additional security measures have been implemented to prevent future incidents. While there have been no reported cases of actual or attempted misuse of the exposed data, affected individuals have been advised to monitor their accounts for suspicious activity and have been offered complimentary single-bureau credit monitoring services[1].

The breach has been reported to the HHS’ Office for Civil Rights as affecting 12,759 individuals, which may indicate a subset of the total affected[1]. University Urology has taken several steps to enhance their security, including resetting all passwords, exporting backup data of all critical systems, limiting remote access to authorized personnel, and removing all persistence mechanisms[3].

Citations:

  1. https://www.hipaajournal.com/data-breaches-reported-by-university-urology-and-mcpherson-hospital/
  2. https://www.foxnews.com/us/sadistic-doctor-prominent-hospital-sexually-abused-dozens-patients-got-away-lawsuit
  3. https://www.databreaches.net/ny-university-urology-notifies-56816-patients-of-unauthorized-access-to-their-phi/
  4. https://southfloridahospitalnews.com/urologist-specializing-in-adult-urology-and-minimally-invasive-robotic-assisted-surgery-joins-palm-beach-health-network-physician-group/
  5. https://classlawdc.com/2023/05/08/university-urology-data-breach/
  6. https://www.hackensackmeridianhealth.org/en/services/urology/awards-and-accreditations
  7. https://www.thelyonfirm.com/blog/university-urology-data-breach-investigation/
  8. https://www.businesswire.com/news/home/20230801769477/en/Northwell-Health-is-New-York%E2%80%99s-most-awarded-health-system-by-U.S.-News
  9. https://beyondmachines.net/event_details/data-breach-reported-by-university-urology-over-56000-impacted-j-k-v-x-t
  10. https://www.nytimes.com/2023/01/27/well/the-life-changing-magic-of-a-urologist.html
  11. https://proteuscyber.com/da/privacy-database/news/7261-data-incident-best-urologist-in-nyc-university-urology
  12. https://www.nyit.edu/news/profiles/student_profile_mahmoud_elhagagy
  13. https://www.beckershospitalreview.com/healthcare-information-technology/university-urology-notifies-1-144-patients-their-phi-was-provided-to-a-competing-provider
  14. https://news.weill.cornell.edu/news/2021/10/dr-larissa-v-rodr%C3%ADguez-appointed-chair-of-the-department-of-urology-at-weill-cornell
  15. https://www.databreaches.net/109628-2/
  16. https://news.stonybrook.edu/university/stony-brook-university-hospital-earns-national-recognition-from-u-s-news-world-report/
Breach Submission Date May 01, 2023
Converted Entity Name University Urology
Converted Entity Type Healthcare Provider
State NY
Individuals Affected 56,816
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes