The personal data breach affecting 300,000 patients disclosed last month by Women's Health Care Group of PA LLC was the third-largest reported this year to the U.S. Department of Health and Human Services, according to the agency's website.
Women's Health Care Group, which in March merged with Regional Women's Health Group in New Jersey to form what the companies described as the largest U.S. Ob/Gyn practice, notified patients of the breach on July 18, more than two months after it discovered the ransomware.
"It does seem to be an unusually long period of time," Adam Levin, chairman of CyberScout, a cybersecurity firm, said of the two-month delay. Two factors could have caused it, he said. They could have been trying to figure out if data had actually been taken and they could have been under orders from law enforcement to keep the breach under wraps.
Pennsylvania requires notification "without unreasonable delay."
A woman who answered the phone at the group's office in Oaks on Friday said that company had no comment.
The notice said the hackers had gained access to the company's computer systems as far back as January. "We have been unable to determine if any specific information was actually acquired or viewed in connection with this incident," the notice said.
If the hackers took data, it would have included names, addresses, dates of birth, and Social Security numbers, enough to create major problems for consumers. The only key missing information were driver's license numbers.
Women's Health Care had backups of the data, which means that services were not disrupted. "That's something everybody should be doing," Levin said.