University Urology
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
University Urology in New York City experienced a significant data breach, which was first detected due to suspicious activity within their computer systems on February 1, 2023. A thorough forensic analysis was conducted by third-party cybersecurity experts, concluding on March 3, 2023, that files within the network had been accessed. A manual review of these files was completed by March 30, 2023, and notification letters were sent out to the affected individuals on May 1, 2023[1][3].
The breach affected 56,816 individuals, and the types of exposed information varied from person to person. Potentially compromised data included names, dates of birth, addresses, medical conditions, medical treatments, test results, prescription information, health insurance details (including subscriber ID numbers and health plan beneficiary numbers), billing/invoice information, and usernames/email addresses along with passwords/security questions and answers that would allow account access[1][3].
In response to the breach, University Urology deployed Sentinel One agents for 30 days to monitor for malicious activity and indicators of compromise. They have confirmed that all methods of persistence, unauthorized remote access tools, and malicious files have been removed from their systems. Additional security measures have been implemented to prevent future incidents. While there have been no reported cases of actual or attempted misuse of the exposed data, affected individuals have been advised to monitor their accounts for suspicious activity and have been offered complimentary single-bureau credit monitoring services[1].
The breach has been reported to the HHS’ Office for Civil Rights as affecting 12,759 individuals, which may indicate a subset of the total affected[1]. University Urology has taken several steps to enhance their security, including resetting all passwords, exporting backup data of all critical systems, limiting remote access to authorized personnel, and removing all persistence mechanisms[3].
Citations:
- https://www.hipaajournal.com/data-breaches-reported-by-university-urology-and-mcpherson-hospital/
- https://www.foxnews.com/us/sadistic-doctor-prominent-hospital-sexually-abused-dozens-patients-got-away-lawsuit
- https://www.databreaches.net/ny-university-urology-notifies-56816-patients-of-unauthorized-access-to-their-phi/
- https://southfloridahospitalnews.com/urologist-specializing-in-adult-urology-and-minimally-invasive-robotic-assisted-surgery-joins-palm-beach-health-network-physician-group/
- https://classlawdc.com/2023/05/08/university-urology-data-breach/
- https://www.hackensackmeridianhealth.org/en/services/urology/awards-and-accreditations
- https://www.thelyonfirm.com/blog/university-urology-data-breach-investigation/
- https://www.businesswire.com/news/home/20230801769477/en/Northwell-Health-is-New-York%E2%80%99s-most-awarded-health-system-by-U.S.-News
- https://beyondmachines.net/event_details/data-breach-reported-by-university-urology-over-56000-impacted-j-k-v-x-t
- https://www.nytimes.com/2023/01/27/well/the-life-changing-magic-of-a-urologist.html
- https://proteuscyber.com/da/privacy-database/news/7261-data-incident-best-urologist-in-nyc-university-urology
- https://www.nyit.edu/news/profiles/student_profile_mahmoud_elhagagy
- https://www.beckershospitalreview.com/healthcare-information-technology/university-urology-notifies-1-144-patients-their-phi-was-provided-to-a-competing-provider
- https://news.weill.cornell.edu/news/2021/10/dr-larissa-v-rodr%C3%ADguez-appointed-chair-of-the-department-of-urology-at-weill-cornell
- https://www.databreaches.net/109628-2/
- https://news.stonybrook.edu/university/stony-brook-university-hospital-earns-national-recognition-from-u-s-news-world-report/