Electrostim Medical Services, operating as EMSI in Florida, disclosed a cyberattack in May 2023 that affected 542,990 patients. The company reported the incident to the HHS’ Office for Civil Rights, revealing that unauthorized individuals accessed parts of the network containing patient data. Although data theft wasn’t confirmed, there is a possibility that patient information was copied during the two-week unauthorized access period between April 27, 2023, and May 13, 2023. Electrostim Medical Services detected suspicious activity on May 13, 2023, and engaged third-party cybersecurity experts to assess the situation.
Following the breach, the company conducted an extensive review of its network to determine the individuals and data types involved. The delay in notifying affected individuals was attributed to this comprehensive review, along with the need to identify contact information for notification letters. The types of information potentially exposed varied among individuals, including names, addresses, email addresses, phone numbers, diagnoses, insurance details, subscriber numbers, and prescribed/billed products. Electrostim Medical Services emphasized that it hasn’t discovered any attempted or actual misuse of patient data as a result of the security incident.
Notification letters detailing the breach were sent in late December, and the company has taken measures to bolster network security in response to the incident. The breach underscores the ongoing challenges in securing medical data, prompting organizations to continually enhance their cybersecurity measures to protect sensitive patient information. The incident at Electrostim Medical Services adds to the growing list of healthcare-related data breaches, emphasizing the need for vigilance and proactive security measures in the healthcare sector.
