A data breach at Dynasplint Systems, a company that manufacturers splint systems for range of motion rehabilitation, may have compromised personal data on more than 100,000 patients, including names and some medical information.
The data breach affected up to 102,800 people who purchased or attempted to purchase the company's devices, according to a report the company submitted to HHS' Office for Civil Rights. The HHS agency publicly posted the report to its online database of healthcare data breaches in an update Wednesday, although the company submitted its report on Aug. 6.
Severna Park, Md.-based Dynasplint Systems discovered the data breach in May, when employees were unable to access the company's system after it was encrypted in a cyberattack, according to a letter sent by a lawyer representing Dynasplint Systems to Iowa's attorney general Tom Miller.
The company in June determined that the cyberattacker accessed and may have acquired personal and protected health information, including the names, addresses, dates of birth, Social Security numbers and medical information of some of its customers.
Dynasplint Systems did not immediately respond to a request for additional details on the incident and whether it was able to unencrypt its system. In its report to OCR, Dynasplint Systems categorized the event as a hacking or information-technology incident that affected its network server.
HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department.
Dynasplint Systems in its letter to affected customers said it "strongly encourage(s)" activating the 12 months of free identity monitoring services that the company is offering.
In a notice posted on its website, Dynasplint Systems said its investigation to date has found no evidence to suggest that information compromised in the data breach has been misused. The company said it has reported the incident to law enforcement.
"Dynasplint Systems reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable," the company said in the notice.