Cyber Incident Victim: CentroMed

On June 12, 2023, El Centro Del Barrio d/b/a CentroMed was alerted to a potential unauthorized access incident affecting its information technology network. The organization immediately launched an investigation into the potential security event. The subsequent investigation determined that an unauthorized party had successfully gained access to some of the organization's systems on June 9, 2023. While inside the IT network, the intruder accessed files containing information pertaining to CentroMed’s current and former patients, its employees and providers, and the spouses, partners, and dependents of those employees and providers. The investigation conducted by CentroMed could not rule out the possibility that files containing personal information were subject to unauthorized access and exfiltration as a direct result of this intrusion.

The scope of the incident was significant, affecting approximately 350,000 individuals. The types of information involved varied depending on the individual's relationship with CentroMed. For patients, the compromised data included name, address, date of birth, Social Security number, financial account information, medical records number, health insurance plan member ID, and claims data, which encompassed diagnoses listed on those claims. For current and former employees and providers, the accessed information included name, Social Security number, financial account information, health insurance plan member ID, and claims data. The same set of data points—name, Social Security number, financial account information, health insurance plan member ID, and claims data—was also accessed for the spouses, partners, and dependents of current and former employees and providers.

In response to the incident, CentroMed took several steps to address the breach and assist affected individuals. The organization began providing formal notice to all individuals whose information may have been involved on August 11, 2023. To facilitate communication and answer questions, CentroMed established a dedicated, toll-free call center. This call center was made available from Monday through Friday, 8 am to 8 pm Central Time, excluding major U.S. holidays, at the number 888-220-4763. The organization stated that it took the incident very seriously and regretted any concern it may have caused. To help prevent a similar occurrence in the future, CentroMed implemented additional safeguards and technical security measures designed to further protect and monitor its systems.

The notice provided to individuals included specific recommendations for steps they could take to protect themselves from potential fraud and identity theft. Patients were advised to carefully review the statements they receive from their healthcare providers and to immediately contact the relevant provider if they identified services they did not receive. All individuals were encouraged to remain vigilant by reviewing their financial account statements for any suspicious activity and to report any such activity to their financial institution immediately. The notice provided extensive information on how to obtain free credit reports and detailed the processes for placing both fraud alerts and security freezes on credit files with the three nationwide credit reporting companies: Equifax, Experian, and TransUnion. Specific instructions and mailing addresses were supplied for initiating security freezes. Furthermore, individuals were directed to contact the Federal Trade Commission, their state Attorney General’s office, and local law enforcement authorities if they believed they were a victim of identity theft or had reason to believe their personal information had been misused.

A separate section of the notice was dedicated to protecting the information of children who may have been affected. Parents or guardians were advised to be vigilant by reviewing their child’s account statements and any available credit reports for unauthorized activity. Instructions were provided on how to request a copy of a child’s credit information from the three credit bureaus. The notice also explained the right to place a credit freeze, or security freeze, on a child’s credit file at each credit reporting company free of charge. Detailed requirements for requesting a child’s security freeze were listed, including the need to supply the child’s full name, Social Security number, date of birth, address history, proof of current address, a photocopy of a government-issued ID, and if applicable, a copy of a police report. The mandated timeframes for the credit bureaus to place, temporarily lift, or remove a security freeze on a child's file were explicitly outlined in the notice.

The incident was reported to the Texas Attorney General’s office, and with 350,000 affected individuals, it was noted as the ninth-largest data breach reported to the state agency since a new law went into effect nearly two years prior. This law requires certain businesses that experience a data breach to notify affected consumers and the attorney general’s office. The breach represented a significant compromise of sensitive personal, financial, and health information for a large volume of people connected to the San Antonio-based healthcare provider. The compromise of claims data, including diagnoses, elevated the severity of the incident beyond a standard personal information leak to a potential violation of health privacy. The organizational response focused on investigation, notification, and the enhancement of technical security measures, while the individual response guidance focused heavily on financial vigilance and credit monitoring to mitigate the risk of identity theft and fraud.