Dedicated to providing the latest
HIPAA compliance news

Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible

Share this article on:

Casa Grande, AZ-based Desert Care Family and Sports Medicine has alerted 500 patients to a potential breach of their protected health information (PHI) as a result of a ransomware infection.

The ransomware was installed on a server used to store PHI in August this year; however, despite attempts to unlock the encryption, patient data have still not been decrypted and have remained inaccessible for more than three months. The information stored on the server includes patients’ names, addresses, birthdates, account numbers, diagnoses, treatment information, and disability codes.

The healthcare provider took the affected server to a number of IT specialists in an attempt to unlock the encryption but to no avail. Free decryptors are available for certain ransomware variants via the No More Ransom Project; however, many of the most commonly used ransomware variants have yet to be cracked.

The only options for recovering locked data are to pay the ransom demand or to restore the encrypted files from backups. Unfortunately, there is no guarantee that payment of a ransom will result in the provision of a viable key to unlock the encrypted files.  It is unclear whether Desert Care Family and Sports Medicine refused to pay the ransom or whether the ransom was paid and the attackers failed to supply a working key to decrypt the data.

Under HIPAA Rules, Department of Health and Human Services’ Office for Civil Rights (OCR) must be notified of a ransomware infection that results in ePHI being encrypted if the covered entity believes there is a risk that ePHI was accessed or copied by the attackers.

In most cases, ransomware infections do not result in the exfiltration of data. In this case, no evidence of data access or theft have been uncovered, although the possibility that PHI was viewed or copied could not be ruled out.

The incident was reported to both local law enforcement and the FBI and a breach report has now been submitted to OCR. It is unclear why it took until December 20, 2016 for the notice to be provided to OCR and for patients to be informed of the potential breach. Covered entities are required to issue a breach notice within 60 days of the discovery of a potential data breach.

The incident clearly highlights the severity of the ransomware threat and how important it is for healthcare organizations to implement a range of controls to prevent infection and ensure data can be recovered.

It is essential for backups to be made of ePHI and for those backups to be tested to ensure data can be recovered. Since ransomware can also encrypt backup files, covered entities should store backup files on air-gapped devices or in the cloud.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On