Copyright © 2021 Albuquerque Journal
A massive data breach at University of New Mexico Health may have allowed a third party to obtain certain medical records from 600,000-plus patients – more than a quarter of the state’s population.
UNM Health has been mailing letters to affected patients who had been treated at either UNM Hospital, UNM Medical Group or the UNM Sandoval Regional Medical Center, hospital officials said in a news release. The breach happened May 2 and UNM learned of it June 4, according to the release.
Dr. Michael Richards, senior vice chancellor for clinical affairs for the UNM Health System, said in a video posted to the health system’s website that patient names, medical record numbers and Social Security numbers were among the information obtained during the data breach. He said patient electronic medical records were not involved in the hack.
“We have no indication that any of this information has been misused,” he said.
Richards said UNM created a call center dedicated to the data breach so affected people can ask questions. The number is (855) 623-1973. He also said UNM Health will provide complimentary credit monitoring and data protection services to patients who had their Social Security numbers taken. UNM declined to say Tuesday how much they intend to spend on those efforts.
“UNM Health takes this issue very seriously and is taking steps to help ensure something like this does not happen again,” UNM said in the news release. “UNM Health has provided additional education to staff, and is enhancing the security of its systems and the information it maintains.”
UNM refused to say Tuesday how many patients were affected and over what timeframe.
However, the U.S. Department of Health and Human Services’s website, which publishes information when breaches of protected health information affect more than 500 people, shows 637,252 people were affected by the breach at UNM.
In one of the letters sent out in the aftermath of the breach, Laura Putz, the UNM Health Sciences Center privacy officer, told a parent that a third party had gained access to their child’s medical records, health insurance information and other details about the patient. The letter said that their child’s Social Security number and financial information were not compromised.
“While we are not aware of any misuse of your child’s information, we want to advise you of the incident and assure you that we take it very seriously,” Putz wrote.