Urology Patients’ Medical Conditions Exposed in Data Breach

A New York City-based urologist has reported a data breach that exposed patients's identities, medical conditions, and treatments earlier this year.

The practice, University Urology, focuses on oncology, as well as issues such as erectile dysfunction and premature ejaculation for men and low sex drive and overactive bladders for women, according to its website.

"University Urology experienced a data security incident that may involve the personal and protected health information of some individuals it serves," the Lexington Avenue practice said in a May 1 press release. "[University Urology] takes the privacy and security of information in its possession very seriously and sincerely apologizes for any inconvenience this incident may cause."

University Urology first detected suspicious activity "on or around" Feb. 1, and brought on a cybersecurity law firm and third-party specialists to investigate, according to the statement.

The probe concluded on March 3 after investigators found an "unauthorized actor gained access to personal health information stored in [University Urology]'s system," the practice said.

The information accessed by the hacker varied from patient to patient. But based on the review, University Urology believes the unidentified party may have had access to patients's names, addresses, and dates of birth; their usernames and passwords or online account security questions; and their medical conditions, treatments, and test results.

Additionally, the breach may have revealed prescription information; health insurance policy numbers; subscriber identification numbers; health plan beneficiary numbers; and billing or invoice information, according to University Urology.

Social security numbers and financial account information were not compromised, according to the statement.

"While we have no reason to believe that information has been misused as a result of this incident, we are notifying individuals for purposes of full transparency," the practice wrote in the release.

University Urology said it has offered 12 to 24 months of complimentary credit monitory and identify theft restoration services to all patients whose information may have been revealed.

The practice has also reset all passwords in its data system, limited remote access to its electronic systems to authorized employees, and banned any malicious files its identified, among other steps to ensure data security, according to the statement.

"[University Urology] encourages all individuals to remain vigilant against incidents of identify theft and fraud, to review their account statements, and to monitor their credit reports for suspicious or unauthorized activity," the practice said. "Additionally, individuals should contact their financial institution and all major credit bureaus to inform them of the incident and then take whatever steps are recommended."