RUMC Notifies Federal Regulators They Were Hacked 18 Months Ago

An unauthorized individual gained access to the network of Richmond University Medical Center (RUMC) on or around May 6, 2023 accessing patient records as part of a ransomware attack that disrupted their IT system for three weeks. RUMC reported the data breach in a Dec. 19, 2024 notice to federal regulators.

Following the attack, RUMC contracted with cybersecurity consultants to conduct an investigation. RUMC maintains that patient's electronic health records were not accessed, but files containing personal identifiable information of patients were.

On December 1, 2024, the manual review process determined that at least one of those files contained personal information, including full names and one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, other government identification numbers, financial account information, credit or debit card information, biometric information, user credentials, medical treatment/diagnosis information, and/or health insurance policy information.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires entities such as RUMC to provide notification to affected individuals within 60 days of discovering a protected health information compromise and to also report such incidents affecting 500 or more people to federal regulators within that same timeframe.

A recent report by IBM found that data breaches take an average of 292 days to identify and contain. The Cost of a Data Breach Report 2024 also found that 46% of breaches involve customer personal data.

Individuals with questions for RUMC concerning this incident may call a dedicated line at 888-326-0991.