HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

10,000 Plastic Surgery Patients Informed of Ransomware-Related PHI Breach

10,200 patients of Plastic Surgery Associates of South Dakota are being notified that some of their protected health information was potentially compromised as a result of a ransomware attack in February this year.

Plastic Surgery Associates of South Dakota discovered ransomware had been installed on some of its systems on February 12, 2017. Rapid action was taken to remove the ransomware and third-party forensics experts were brought in to investigate and determine the extent of the breach and which, if any, patients had been impacted.

Fortunately, while data were encrypted, the majority of its patients were not impacted by the incident and did not have any of their data accessed or encrypted. However, the process of restoring data resulted in critical files being lost.

Those files contained evidence that could have been used to confirm that some patients had not been impacted by the incident. On April 24, Plastic Surgery Associates of South Dakota decided that without access to that evidence it was not possible to rule out PHI access for 10,200 of its patients with a high degree of certainty. Consequently, all of those individuals have now been notified that their PHI has potentially been compromised.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The system that the ransomware was installed on contained names, Social Security numbers, driver’s license numbers, state ID numbers, credit and debit card information, lab test results, medical diagnoses, birth dates, health insurance information and details of medical conditions.

Plastic Surgery Associates of South Dakota has confirmed that no reports of misuse or attempted misuse of patients’ PHI have been received. Out of an abundance of caution, affected individuals have been offered complimentary membership of Equifax Credit Watch Silver credit monitoring and identity theft protection services for 12 months.

Plastic Surgery Associates of South Dakota said it already employs stringent security controls to protect the privacy of patients and the confidentiality of their PHI, and that “the confidentiality, privacy, and security of our patient information is one of our highest priorities.” The incident has prompted the company to enhance security and additional security measures will be deployed to prevent future incidents of this nature from occurring.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.