NorthBay Healthcare Data Breach in February 2024 Impacts 569K Individuals

by

NorthBay Healthcare Corporation manages two hospitals, namely NorthBay VacaValley Hospital and NorthBay Medical Center, and several primary care areas in California. The healthcare system recently reported a data breach affecting the personal data and protected health information (PHI) of 569,012 individuals.

According to the notification submitted to the Maine Attorney General, suspicious activity was discovered inside its system on February 23, 2024. NorthBay Healthcare started an internal investigation, notified law enforcement, and engaged third-party cybersecurity professionals to help with the investigation. The breach notification letter mentioned that a threat actor accessed its system from January 11, 2024 until April 1, 2024. After over 6 weeks, the security breach was discovered. The breach notice doesn’t say why blocking the unauthorized third party took a long time.

The investigation revealed that the threat actor accessed files comprising patient information. The file analysis report showed that the types of breached data included names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, biometric data, medical data, medical insurance details, financial account numbers, usernames/passwords, and debit/credit card numbers, which included expiration dates, PINs and/or security codes.

NorthBay Healthcare stated it has improved its technical safety measures to avoid the same data breaches later on and has provided the impacted persons with a membership to an identity theft protection and credit monitoring service for one year. Personal notification letters were sent to the impacted people on January 29, 2024, over 11 months after discovering the breach. NorthBay Healthcare stated it is convinced that the exposed information was not misused for fraudulence or identity theft. Considering the sensitivity of the breached data, it is a good idea to use the assistance being provided and to carefully look at accounts and explanation of benefits statements from January 2024 to date for probable personal data misuse.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone