Palomar Health Medical Group is still not saying what forced them to shut down their computer systems more than seven weeks ago. Patients told NBC 7 Responds they are still struggling to get medical attention.
Camila Cortez from Escondido said getting an appointment has been a nightmare.
“It’s been terrible. I’ve been trying for over a month to make an appointment. I called, but they never answered,” she said.
She said she desperately needed one after going to urgent care about a month ago with a high fever and trouble breathing.
Get top local stories in San Diego delivered to you every morning. Sign up for NBC San Diego's News Headlines newsletter.
“Just to get through to an assistant is nearly impossible," Cortez said. "I tried their system online, and that thing changes every day. I make a login and it never works.”
Other patients have reached out to NBC 7 Responds with the same frustrations. They said they’re upset with Palomar’s handling of the cybersecurity incident that in early May forced them to shut down their computer and phone systems. Since then, the medical group has been setting up appointments and filling prescriptions using a patchwork system.
“It’s confusing, it's frustrating. All I want to do is get better really,” Cortez said.
NBC 7 Responds has been pushing Palomar Health Medical Group to address their patients’ concerns and they said they would get back to us when they have a response. As we continued to wait for one, we decided to find out what and when they were required to report about the cybersecurity incident.
The California Department of Public Health (CDPH) requires healthcare facilities to report any breach that may have compromised a patient’s medical information no later than 15 business days after it was detected. That would have been May 24 in this case. We asked the health department if they had received notification, but they would not tell us.
On the federal level, if a breach impacts more than 500 patients, the HIPAA Breach Notification Rule requires health facilities to notify patients, the media, and the Department of Health and Human Services (HSS) of the breach within 60 days. We checked the portal and didn’t see Palomar Health Medical Group listed, but we’re still within that 60-day window.
Cortez said she doesn’t care about any of that right now. She just wants to get better.
“I want to continue on with my job. I want to continue on with my life but having that constant cough and that constant illness is getting in the way,” Cortez said.
Palomar Health Medical Group sent an email to patients on June 12, saying they anticipated regaining access to the internet and electronic medical records within a week. It’s been about two weeks and patients say that hasn’t happened.
An employee shared an internal email with us that was also sent June 12. It said they expected to have 85% of their systems back by July 1 and 100% by July 18.
The cybersecurity incident did not impact Palomar Medical Centers in Poway and Escondido.