Crescent Community Health Center announced Thursday that it experienced a significant data breach in December 2023, potentially compromising the sensitive personal information of up to 501 pharmacy patients. The breach, which occurred at Crescent’s InFocus Pharmacy between December 10 and 13, may have exposed a wide range of data, including names, addresses, dates of birth, and various forms of identification and medical information.
According to a press release from Crescent, the breach also affected a limited number of individuals whose Social Security numbers, financial account details, payment card information, passport data, biometric information, IRS PIN numbers, and login credentials may have been stolen. Crescent’s Compliance and Privacy Officer, Jennifer Cavanagh, declined to comment on the exact number of individuals affected, referring inquiries to the press release.
The U.S. Department of Health and Human Services Office for Civil Rights confirmed that up to 501 individuals were impacted by the incident.
The breach was discovered on December 15, 2023, when Crescent detected unauthorized access to certain email accounts associated with the pharmacy’s domain, infocuspharmacy.com. Upon identifying the breach, Crescent immediately reported the incident to law enforcement and engaged a national cybersecurity firm to assist in investigating the scope and impact of the breach.
Over the subsequent months, Crescent undertook an extensive data mining process to identify the affected individuals and determine what specific information was compromised. Earlier this week, the health center sent out letters to those potentially impacted, detailing the nature of the breach and the specific data that might have been exposed.
So far, Crescent has not received any reports of misuse, identity theft, or fraud resulting from the breach. However, the organization has implemented enhanced security measures to protect against future incidents, though specific details of these improvements were not disclosed.
Dubuque Police Department Lt. Luke Bock advised individuals affected by the breach to monitor their accounts for suspicious activity. He recommended that those whose Social Security numbers were compromised contact the Social Security Administration, and urged anyone with compromised payment information to notify their bank to freeze accounts and request new payment cards.
