HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Riverplace Counseling Center in Anoka, MN, has discovered malware has been installed on its systems which may have allowed unauthorized individuals to gain access to patients’ protected health information.

The malware infection was discovered on January 20, 2019. The counseling center engaged an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis was completed on February 18, 2019.

The IT firm did not find evidence that suggested patient information had been subjected to unauthorized access or had been copied, but data access and PHI theft could not be totally ruled out.

The types on information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information.

Affected individuals were notified about the data breach on April 11, 2019 and have been offered identity theft monitoring services via Kroll for 12 months at no cost. No reports have been received to date to suggest any patients’ PHI has been misused.

Riverplace Counseling Center has not publicly disclosed what type of malware was involved, nor how the malware was installed on its systems.

To improve security and reduce the risk of further malware attacks, Riverplace Counseling Center has installed spam filters, upgraded its antivirus software and firewalls, and has provided further training to employees to help them identify unauthorized access.

The counseling center has also consulted with a cybersecurity firm which is providing recommendations on new system-wide policies and procedures to further enhance security.

According to the breach summary on the Department of Health and Human Services’ Office for Civil Rights website, up to 11,639 patients’ PHI was potentially compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.