The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Posted By on Mar 17, 2017

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients.

The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers.

Metropolitan Urology Group contracted an international information technology company to perform a thorough analysis of the affected servers and its systems to determine the nature and extent of the attack.

On January 10, 2017, Metropolitan Urology Group was informed that patient data may have been accessed as a result of the infection. The firm was able to successfully remove the ransomware infection and restore the medical group’s systems.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Current patients are unaffected by the security breach. The data stored on the servers related to patients who had received medical services at the medical group’s facilities between 2003 and 2010.

The types of data that were potentially accessed include patients’ full names, procedural codes, dates of service, patient control numbers, patient account numbers and provider identification numbers. Only five of the 17,634 patients had their Social Security number stored on the servers.

When ransomware was detected, the servers were promptly isolated and external access was blocked. The medical group said it has now implemented ‘the best firewall and secure email system’, its information technology vendor – Digicorp – and its employees have all undergone further training on information security and a risk analysis is being performed to identify any further vulnerabilities in its IT systems to prevent future attacks. If any vulnerabilities are detected, rapid action will be taken to mitigate risk. Policies and procedures will also be updated to reflect technological changes that have been implemented in response to the attack.

All patients impacted by the incident have now been notified of the potential privacy breach by mail and have been offered 12 months of credit monitoring services without charge as a precaution against fraud and identity theft.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist