In August 2020, the ransomware gang Maze alleged that it had stolen patient data from Ventura (Calif.) Orthopedics and planned to post the information online. At the time, the orthopedic practice refused to confirm or deny the claims, according to a Nov. 2 report from DataBreaches.net.
Subsequently, another ransomware gang, Conti, listed information about 1,850 Ventura patients on its leak site.
In January 2021, DataBreaches published a report on several data breaches that had never been publicly disclosed, which included the Ventura breach.
That same month, DataBreaches filed a watchdog complaint with HHS about Ventura.
In April, HHS contacted DataBreaches for more information on the leak, and in September Ventura's CFO and IT Director met with DataBreaches to discuss the hack. Ventura's current CFO and IT Director were not on staff with Ventura at the time of the leak, according to the report.
Now, over three years since the data breach, Ventura is reaching out to patients with a letter about the information leak.
"Recently, we became aware that a health information security breach that occurred on July 28, 2020, was more extensive than we believed at the time," the letter said. "… Our initial investigation indicated that the health information of only one patient had been compromised. However, on September 13, 2023, we learned that breach involved information about a larger group of patients."
Leaked information included patient names, dates of birth and drug and lab testing from 2016, 2017 and 2018.
The letter also stated that in 2020, Ventura performed an outside security audit that confirmed its medical record system had not been infiltrated.