First Choice Community Healthcare, Inc. Confirms Data Breach Impacting Patients’ Protected Health Information

Console and Associates, P.C.

On August 1, 2022, First Choice Community Healthcare, Inc. confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on First Choice’s network. According to First Choice, the breach resulted in the patients’ names, Social Security numbers, and protected health information being compromised. Recently, First Choice sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the First Choice Community Healthcare data breach, please see our recent piece on the topic here.

What We Know About the First Choice Community Healthcare Data Breach

According to an official notice filed by the company, on March 27, 2022, First Choice discovered unusual activity on its computer system, leading the company to believe it may have been the victim of a cyberattack. In response, First Choice enlisted the assistance of an independent cybersecurity firm to investigate the incident and determine if any patient data was compromised as a result.

The company’s investigation confirmed that an unauthorized party was able to access, and may have removed, patients’ personal and protected health information.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, First Choice Community Healthcare then reviewed the affected files to determine what information was compromised and which consumers were impacted. The company completed this process on June 3, 2022. While the breached information varies depending on the individual, it may include your name, Social Security number, First Choice patient ID number, diagnosis and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth, and provider information.

On August 1, 2022, First Choice Community Healthcare sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

First Choice Community Healthcare, Inc. is a healthcare system based in Albuquerque, New Mexico. First Choice operates nine facilities across three New Mexico counties, including:

  • Alameda Medical Center

  • Alamosa Medical Center

  • Belen Medical Center

  • Edgewood Medical/Dental Center

  • Los Lunas Medical/Dental Center

  • North Valley Medical Center

  • Rio Grande HS - School Based Medical Center

  • South Broadway Medical Center

  • South Valley Medical/Dental Center

First Choice Community Healthcare employs more than 435 people and generates approximately $63 million in annual revenue.

Data Breaches Involving Protected Health Information Are on the Rise

The First Choice Community Healthcare data breach affected a wide range of patient data, including Social Security numbers, insurance information and other healthcare-related information. Based on the company’s statements in its data breach letter, the information leaked as a result of this breach appears to fall into the category of “protected health information.”

Protected health information is any identifying information that relates to a patient’s health condition or how a patient pays for their healthcare. For example, the results of a diagnostic test, prescription information, and past diagnoses can all be considered protected health information. However, this information is only considered to be protected health information if it contains at least one identifier. An identifier is an additional piece of data that can be used to identify a patient. A few common identifiers include:

  • Biometric identifiers, such as fingerprints;

  • Email addresses;

  • Fax numbers;

  • Full-face images or other identifying photographs;

  • Geographical identifiers (more specific than a patient’s state of residence);

  • Medical record numbers;

  • Patient account numbers;

  • Patient names;

  • Phone numbers;

  • Social Security numbers; and

  • Treatment dates.

Because protected health information, by definition, is easily linked to a patient, this data can be used by criminals to conduct identity theft or other frauds against a patient. While any form of identity theft is serious, healthcare identity theft is often much harder to resolve and doing so comes at a far greater cost to patients than other types of data breaches, such as those that only impact their financial information.

One reason why healthcare data breaches are so serious is that, aside from the typical risks of fraud and unauthorized transactions, healthcare data breaches can put patients’ physical health in jeopardy. In a typical scenario, a hacker sells a patient’s information to a third party who is looking to obtain medical treatment but cannot afford it or doesn’t want to pay for it. The third-party purchases patient data from the hacker and then uses it to obtain medical care in the victim’s name.

In doing so, however, the fake patient’s medical information may get mixed up with the patient’s medical information. For example, the fake patient could give a doctor a list of their current prescription drugs, their previous medical procedures, or the medications that they are allergic to. This can result in a patient’s medical record containing inaccurate information, which may confuse providers, leading to an increased risk of harm to the patient.

Healthcare data breaches pose very real risks, and those who fall victim to such a breach should be sure to take the necessary steps to protect themselves.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide