Radiology office's server hacked to play Call of Duty: Black Ops
by Brendon Nafziger
, DOTmed News Associate Editor | January 13, 2011
A large radiology practice in New Hampshire said Wednesday hackers apparently breached a server containing Social Security numbers and medical codes for hundreds of thousands of patients, with the culprits likely rogue gamers looking for bandwidth to play the popular military shoot-'em-up Call of Duty: Black Ops.
The group estimates 231,400 patients might have been affected by the breach.
On Tuesday, Seacoast Radiology, PA of Rochester, N.H. sent out letters to all potentially affected patients, according to a notice on a website set up by ID Experts, a company that handles public relations for security breaches.
The notice said on Nov. 12, the radiology practice discovered someone had accessed an office server, where patient names, phone numbers, medical diagnosis codes, procedure codes and Social Security numbers were stored. The server also contained personal information of "insurance guarantors" for some of the patients, the notice said.
But the group said there's no evidence any of the information has been misused, and that identity theft probably wasn't the motivation. An investigation discovered the breach was likely caused by gamers based in Scandinavia, who were just looking for servers to run the best-selling video game, the group said.
"They wanted to hijack space for bandwidth to play this game," Lisa MacKenzie, a spokeswoman for the group, told DOTmed News. "They didn't have any interest in this data."
Also, radiology reports and images were not stored on the server, nor were credit card numbers, as the practice does not accept payment by credit card, according to a statement issued by Seacoast Radiology.
The practice said it took as long as it did to report the security breach because it had to gather all the relevant information and identify patients. The group said it's also reviewing its privacy and security programs and will "further enhance the protection of privacy and the handling of sensitive information."
Provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act require companies to contact the media or issue press releases, which Seacoast Radiology did, if the number of affected patients of a security breach is 500 or more.