Hackers might have stolen patients’ medical charts, Social Security numbers, health data

LONGMONT, Colo. -- Hackers might have stolen personal information from potentially every patient at a Boulder County clinic.

Longs Peak Family Practice posted a lengthy statement on its website this week alerting patients to a cybersecurity breach within its system. LPFP says hackers accessed its computers on Nov. 5, 9 and 10.

“We did not find any evidence of any patient files being opened on the LPFP computers, but because some of the software installed by the hackers could have been used to download computer files and some files were encrypted, we cannot be sure that health information was not compromised,” the statement said.

The medical office said no credit card information was taken. Patient medical charts, which might have been compromised, contain names, addresses, birthdate, phone numbers, email addresses, Social Security numbers, insurance carriers and driver’s license information.

The charts would also contain private medical information such as diagnoses, medical conditions, labs and other health reports.

“They’ve caused a problem for you for the rest of your life. They’ve lost your medical records. They’re out in the wind now,” Ray Hutchins of Denver Cyber Security said.

He said while credit cards can be replaced, patients can’t change blood type, medical history or other personal information. Once a criminal has that, they can use it as a form of identity theft.

“They can go file medical claims, fraudulent medical claims,” Hutchins said. “Maybe they’re going to use your records and go out and get opioid drugs to sell them.”

In a worst-case scenario, Hutchins believes victims could even be facing future health risks if someone else is getting procedures done while posing as the victim.

“If you had an emergency and the medical people were looking at those records thinking that was all you when in fact it wasn’t you,” he said.

Hutchins said this latest breach is just the latest example in a bad habit of companies failing to take cybersecurity seriously.

“Ninety-nine-point-nine percent of all businesses out there and all people out there are doing nothing,” he said. “People are not alarmed because they don’t actually see the property moving out the door.”

While it is up to businesses to protect data, he said consumers need to be careful to only do business with ones with proper cybersecurity.

“You ask them, what are you doing to protect my private information I’m giving you? What do you do?” he said.

Longs Peak Family Practice said it has since employed a variety of safeguards to protect patient data in the future.