DES MOINES, Iowa (WHO) — Des Moines Orthopedic Surgeons is notifying patients that their personal information may have been stolen after the medical facility suffered a security breach in February 2023.

In a letter to patients, DMOS said an “unauthorized actor” was able to access and remove certain DMOS files. The medical facility said it became aware of the stolen information in December 2023, and started notifying patients in January.

The letter also included DMOS’s investigation into the types of data stolen. Its investigation shows that patient data obtained may have included individuals’ full name and address, as well as date of birth, state ID number, social security number, drivers license number, medical information, health insurance information, and direct deposit bank information.

Sponsored

DMOS advises patients to take steps toward protecting themselves, like credit monitoring, fraud alert, and security freezes.

Doug Jacobson, director of Iowa State University’s Cybersecurity Innovation and Outreach, said this breach is one of the worst he’s seen, and said that the stolen data is “everything you’d want as a thief.”

“Your social security number is yours for your lifetime, and your date of birth is for your lifetime. So, some of that data is usable forever. Bank account can be changed, but some of that data is permanently yours,” said Jacobson.

Sponsored

Jacobson also said the stolen data is out there forever, and can be accessed by individuals globally, putting individuals at a high risk.

“This appears to be on what they call the dark web, this data. So, anyone across the world can buy this data, they can buy a patient record. You can buy credit card numbers on the dark web. And so, the danger is that this information spreads globally, and a lot of the time the people that take advantage of this are in jurisdictions where we can’t do anything about it. So, this makes this a very big problem,” said Jacobson.

Another issue that Jacobson noted was the amount of time it took for DMOS to realize that data was stolen after the initial attack. “It was a little longer than what we would normally expect. A February timeline of some type of data breach, and then waiting until December before they realized that something was taken, that’s an awful long time,” said Jacobson.

To learn more about the data breach, click here.