Several medical groups in the Heritage Provider Network in California suffered a ransomware attack, exposing sensitive patient information to cybercriminals.

The medical groups affected by the cyber attack are Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group and Greater Covina Medical.

The entities collectively issued a data breach notice earlier this month and shared a sample letter with the California Attorney General’s office earlier this week.

Today, the healthcare organization reported to the US Department of Health and Human Services breach portal that data from 3,300,638 patients was exposed in the attack.

Sensitive data was stolen in an attack

The data breach notification says the ransomware attack happened on December 1, 2022, with Regal employees noticing technical difficulties the next day.

After hiring a third-party cybersecurity expert to help investigate, it was determined that malware had infected the organization’s servers, so a system restore process was initiated.

Based on log review, the investigation determined that the following data had been compromised:

• Full name
• Social Security Number (SSN)
• Date of birth
• Address
• Medical diagnosis and treatment
• Results of laboratory tests
• Prescription data
• X-ray reports
• Health plan membership number
• Phone number

Ransomware actors steal this data to create additional leverage when extorting healthcare organizations, taking advantage of the highly sensitive nature of medical data.

Regal’s notice contains instructions on signing up for one year of free credit monitoring through Norton LifeLock.

“Regal understands the importance of protecting your personal information and takes that responsibility very seriously,” reads the notice.

“We will do everything we can to assist people whose personal information may have been compromised and help them navigate the process.”

The healthcare organization says it has implemented additional security measures and stricter protocols to prevent similar incidents and protect sensitive patient information from unauthorized access.

Affected patients should beware of targeted phishing attacks, scams, social engineering or extortion using stolen data.

If you’re not sure if an email or text message is legitimate, ignore it or contact your doctor to confirm if it’s valid.