Delta County Memorial Hospital District (‘Delta Health’) in Colorado recently disclosed a cyberattack between May 27 and May 30, 2024, potentially exposing 148,363 individuals’ protected health information (PHI).
What happened
On May 30, 2024, Delta Health identified suspicious activity within its computer network. A subsequent investigation confirmed that an unauthorized third party had accessed and exfiltrated files containing sensitive patient data between May 27 and May 30, 2024.
The compromised information included names, addresses, phone numbers, dates of birth, financial account details, medical and health insurance information, Social Security numbers, and driver’s license numbers.
Delta Health notified the U.S. Department of Health and Human Services (HHS) of the breach on July 29, 2024, but did not specify the number of affected individuals until a later report to the Maine Attorney General’s Office.
The backstory
Initially, Delta Health reported the breach to HHS with a placeholder of "501" affected individuals, as the full extent of the breach was still unknown. The investigation confirmed that 148,363 individuals had been affected.
Notifications to affected individuals began on July 29, 2024, but were not completed until January 31, 2025. The reason for the delay remains unclear.
What was said
Delta Health’s notification letter to Maine residents states, “While we have no evidence that your personal information has been misused, we encourage you to take advantage of the complimentary credit monitoring included in this letter.”
Why it matters
Despite Delta Health’s claim of no evidence of misuse, the delayed notification process raises concerns about HIPAA compliance and patient data security. Given the increasing frequency of cyberattacks on healthcare organizations, institutions must improve their cybersecurity measures to mitigate these risks and maintain HIPAA compliance.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
