NBC 7 Responds

Was Palomar Health patient data compromised? Cybersecurity experts call for transparency

The health system took most of its computer systems offline after detecting a cybersecurity incident

NBC Universal, Inc.

More than three weeks after Palomar Health Medical Group detected "suspicious activity" in its network, patients still don’t know if any of their personal data was compromised.

“Nobody said anything about what happened, what they did, what they fixed. Nothing,” patient Vernon Weaver told us back on May 7. “They have my name, address, phone number, blood type, date of birth, social security number, next of kin.”

Weaver told us PHMG sent out an update on May 21, but again, it didn’t say anything about potential data being exposed.

May 21 letter sent to patients

Palomar Medical Centers in Poway and Escondido have not been impacted by the cybersecurity incident.

“Unfortunately, these incidents are ransomware, and eventually it’ll come out,” said Sai Huda, CEO of CyberCatch.

While PHMG has not said whether it was a ransomware attack, Huda suspects it is based on the notices sent to patients and on his experience dealing with cybersecurity emergencies. 

Huda said no news on potentially compromised data may be good news for patients.

“It’s possible that they caught the ransomware early and it maybe didn’t involve infecting a bunch of systems, maybe a few, and it’s possible that data may not have been exfiltrated.”

Whatever is going on, the Identity Theft Resource Center says patients deserve to know more information by now.

“Companies have enough time to get at least the basic information available before they send out most data breach notices,” said James E. Lee, COO of the ITRC.

Lee is concerned that nearly a month later, patients still don’t know what data may have been compromised.

“Be as transparent as you can today, explain to people the limitation. Don’t just leave this information vacuum so they don’t understand why you can’t be more forthcoming.”

Lee says over the last few years, there’s been less transparency when it comes to data breaches throughout the nation. He says in 2021, 100% of data breach notices had information about what happened, what information was compromised and how many people were affected. He says since then, this level of transparency has dropped to about 50% in 2023 and 32% so far in 2024.

“Constant communication is always going to be valuable, even if you don’t necessarily have a lot of new information, just again, reiterating to people there are things you can be doing,” Lee said.

We took the ITRC’s concerns to PHMG. They responded that they had nothing new to add to the statement they sent us three weeks ago.

That statement read: “Third-party specialists are working with Palomar Health Medical Group to investigate the source of this disruption, to confirm its impact on our systems, and to restore full functionality to our systems as soon as possible. We are also investigating what impact, if any, this incident had on the security of data within our environment.”

Again, PHMG has not described what happened as a data breach or ransomware attack. Regardless, CyberCatch agrees with the ITRC, that more transparency with patients is needed.

“It shouldn’t be, wait a long time and tell everything. It should be, you know, tell as events evolve. I think that’s good transparency,” Huda said.

The ITRC says just monitoring your credit is not enough anymore because you’ll be fighting an uphill battle if you detect someone has stolen your identity. It’s better to proactively freeze your credit with the three big credit reporting bureaus to prevent anyone from opening up any new accounts in your name. If you need to apply for credit, you can temporarily lift the freeze.

Use these links to freeze your credit for free:
Equifax
Experian
TransUnion

Contact Us