Medical IDThousands of patients seeking medical treatment may be at risk of identity theft following a breach of systems belonging to the biotech firm Genentech, according to a letter sent to New Hampshire’s Attorney General on behalf of the company late last month.

As many as 3,500 patients may have had information leaked in the breach, which occurred on August 17 when an “unauthorized person” might have accessed “a vendor’s computers,” according to Genentech’s Chief Privacy Officer, Robert Glaser. The letter was submitted in keeping with New Hampshire’s data privacy law. Nadine O’Campo, a Genentech spokesperson, confirmed the details of the letter for Threatpost. 

A slew of unencrypted information may have been exposed in the breach, including patients’ names, addresses, phone numbers, date of birth, e-mail addresses, driver’s license numbers, social security numbers, and medical and health insurance information, according to the letter. Those affected weren’t notified until nearly October. Patients whose records may have been involved in the breach began to receive letters last week postmarked September 30. 

A member of the Roche Group, Genentech, based in South San Francisco, Calif., uses genetic data to produce and commercialize modern day medicines.  It was the company’s patient support program, a part of the corporation that assists patients and their health care providers with coverage and co-payments, that was breached.

O’Campo said the number of patients affected was less than one percent of the one million people who use the company’s support programs.

Like the many corporations who have suffered data breaches before them, Genentech has partnered with a credit monitoring and identity theft protection insurance firm to work with affected individuals going forward.

Since 2009, major health care information breaches have affected more than 10.8 million individuals according to information disclosed by Department of Health and Human Services’ Office for Civil Rights earlier this year.

Categories: Data Breaches, Social Engineering