Medical devices maker PRC-Saltillo confirms major breach of patient records

Ohio-based medical devices manufacturer PRC-Saltillo said it experienced a data security incident that compromised the sensitive personal information of more than 50,000 individuals.

 

In a data security incident notification filed with the Office of Attorney General of Vermont, Prentke Romich Company, doing business as PRC-Saltillo, said that on August 21, it identified suspicious activity in its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Through the investigation, PRC-Saltillo determined that between August 13 and August 21, 2024 an unauthorised actor may have copied certain files and folders from PRC-Saltillo’s network without authorisation. We promptly began a review of the relevant files and folders and on September 3, 2024 determined that certain files contained your information,” reads the notice.

 

The compromised data included names, addresses, phone numbers, dates of birth, treatment cost information, referring/treating physician, health insurance policy numbers, Medicare/Medicaid plan names, and medical devices purchased.

 

Prentke Romich Company’s filing with the United States Department of Health and Human Services revealed that at least 51,627 individuals were impacted by the data security incident.

 

“In response to this event, we promptly took steps to secure our systems. As part of our ongoing commitment to the privacy of information in our care, we are reviewing our policies, procedures, and processes related to the storage and access to personal information,” PRC-Saltillo added.

 

The company has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

 

It has also offered complimentary identity protection and credit monitoring services through Experian to all affected individuals.

 

In September, a group of threat actors going by the name Fog ransomware claimed responsibility for the cyber attack on PRC-Saltillo and listed it as a victim on its data leak site. The group claimed to be in possession of 250GB of data stolen from the company.