NY: University Urology notifies 56,816 patients of unauthorized access to their PHI

University Urology (UU) in New York City recently posted a notice about an incident on their website. Their notice, dated May 1, explains that on or about February 1, 2023, UU detected suspicious activity in its environment. The investigation revealed that an unauthorized actor had gained access to protected health information stored in UU’s system. The information accessed varied by individual but may have included: first and last name, address, date of birth; username/email in combination with a password or security question / answer that would allow access; medical condition, medical treatment; medical test results; prescription information; health insurance policy number; subscriber identification number; health plan beneficiary numbers; and billing/invoice. In response to the incident, UU has offered those affected twenty-four months of complimentary credit monitoring and identity theft restoration. As part of their response, they also deployed SentinelOne agents for 30 days which allowed the cybersecurity firm’s security operations center (SOC) to monitor the environment 24/7 for indications of compromise and other malicious activity; reset all passwords; exported backup data of all critical systems; removed all unauthorized remote access tools; limited remote access to authorized personnel; deleted / removed all persistence mechanisms; and banned any identified malicious files from the environment. UU states that it is not aware of any misuse or attempted misuse of the data. The incident was reported to HHS as affecting 56,816 patients.