University Urology in New York City has started notifying 56,816 individuals that unauthorized individuals gained access to some of its systems and potentially obtained their personal and health information. Suspicious activity was detected within its computer systems on February 1, 2023, and third-party cybersecurity experts were engaged to conduct a forensic analysis of the incident to determine the nature and scope of the attack. The investigation concluded on March 3, 2023, that files within its network were accessed. A manual review of those files was conducted and concluded on March 30, 2023. Contact information was then verified, and notification letters were sent on May 1, 2023.
The types of information that were exposed varied from individual to individual and may have included first and last name, date of birth, address, medical condition, medical treatment, test results, prescription information, health insurance information, subscriber ID number, health plan beneficiary number, billing/invoice information and username/email address plus passwords/security questions and answers that would allow account access.
University Urology said Sentinel One agents were deployed for 30 days, which allowed the cybersecurity firm to monitor its environment for malicious activity and indicators of compromise. It has now been confirmed that all methods of persistence, unauthorized remote access tools and malicious files have been removed from its systems, and additional security measures have now been implemented.
While there have been no reported cases of actual or attempted misuse of the exposed data, complimentary credit monitoring and identity theft protection services have been offered to affected individuals for 12 or 24 months.