The Millions of Patients Receive Healthcare Data Breach Notifications


Utah Imaging Associates began notifying nearly 600K of a healthcare data breach, and Eskenazi Health began notifying over 1.5 million individuals.

Covered entities must post a notice on the home page of its website for at least 90 days if there are more than 10 individuals with out-of-date contact information to ensure that impacted individuals have an increased likelihood of seeing the notice.

Individual notices must be provided via first-class mail no later than 60 days following the discovery of the breach. The notification must include a description of the brief, a description of the types of information that was exposed, and an explanation of what the entity is doing to investigate the breach.

If a breach impacts more than 500 individuals, covered entities are required to notify prominent media outlets and the HHS secretary.

Healthcare entities that experienced some of the biggest data breaches of 2021 began notifying impacted individuals of security incidents via mail in recent weeks.

Utah Imaging Associates (UIA) posted a notice on their website alerting nearly 600,000 current and former patients of a data security incident that may have exposed protected health information. The breach gained media attention as one of the largest reported breaches of 2021 listed on the Office for Civil Rights (OCR) data breach portal. UIA began notifying impacted individuals on November 18.

According to the Maine attorney general’s office, the exposed information may have included Social Security numbers, health insurance policy numbers, medical treatment, diagnosis, and prescription information, along with mailing addresses, birth dates, and first and last names.

On September 4, UIA detected suspicious network activity and said it promptly secured the network and began the remediation process. The radiology practice engaged a cybersecurity firm to conduct an investigation and found that the breach began on August 29. The investigation revealed that an unauthorized actor obtained access to files containing sensitive data.

At this time, UIA said it has not received any reports of identity theft relating to the incident.

“We are committed to doing everything we can to help protect the privacy and security of the personal information in our care. Since the discovery of the incident, we have taken and will continue to take steps to mitigate the risk of future issues,” UIA stated in its letter to patients.”

“Notably, upon discovery of the incident, we moved quickly to initiate our incident response plan, which included conducting an investigation with the assistance of the third-party forensic specialists to contain and safely restore our systems. We are also enhancing our security measures for our systems and servers, and have installed end-point monitoring tools to continuously monitor our system.”


Eskenazi Health in Indiana began notifying patients on November 11 via US mail of a cyberattack that occurred six months ago, FOX59 reported. The breach occurred on August 4 and was reported to OCR on October 1. The cyberattack impacted more than 1.5 million individuals, making it one of the largest reported healthcare data breaches of 2021.

Eskenazi first posted a notice of the incident on August 24, stating that it had experienced a cyber event and it did not plan to make any payments to ransomware actors and said that it was unclear whether patient information was exposed. The incident initially led to significant ambulance diversions and EHR downtime.

On October 1, Eskenazi updated the notice after finding out that the event was in fact a ransomware attack and that bad actors had stolen and posted patient information on the dark web.

The exposed information may have included names, birth dates, addresses, phone numbers, medical record numbers, diagnoses, and clinical information, prescription information, driver’s license numbers, passport numbers, full-face photos, Social Security numbers, credit card information, email addresses, and insurance information.


Vitreo-Retinal Medical Group, also known as Retinal Consultants Medical Group, began notifying over 11,000 individuals of a data security incident that may have impacted personal and medical information. The incident occurred in July, and Vitreo began notifying patients on November 9.

“On or about July 12, 2021, Vitreo experienced a service disruption that was determined to be caused by a sophisticated cyber-attack. We immediately launched an investigation to determine the nature and scope of this incident, working with outside cybersecurity specialists to securely restore our systems and determine the full impact of this event on our data,” Vitreo stated.

“We also notified and are cooperating with federal law enforcement. Unfortunately, the investigation was not able to determine what, if any, Vitreo data may have been accessed or viewed without authorization.”

Vitreo completed a programmatic and manual review of the potentially impacted data on October 19 and determined that the unauthorized actor may have had access to names, birth dates, patient account numbers, Medicare and Medicaid information, usernames and passwords, health insurance information, treating physician names, diagnosis codes, and Social Security numbers.

The eye care provider will offer complimentary credit monitoring to impacted individuals and recommend that customers place a fraud alert on their credit files.

For More Information: millions of patients receive healthcare data breach notifications