Share this article on:
Mind & Motion Developmental Centers of Georgia has announced that hackers have succeeded in installing ransomware and malware on a server, which has potentially allowed them to gain access to patients’ protected health information.
The ransomware was downloaded and executed on a server housing Mind & Motion medical records. The types of data that were potentially compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance information, and Social Security numbers. It is also possible that medical records were compromised as a result of the attack.
Mind & Motion discovered the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was retained to investigate the breach, determine how the attack occurred, and help recover data that had been rendered inaccessible by the ransomware.
In addition to the ransomware infection, TeamLogic IT discovered an inactive keylogger and a spam emailer on the server. All malware was successfully removed and associated accounts were deleted. TeamLogic IT did not uncover evidence to suggest any of the installed malware had been used to access patient financial information or its scheduling and electronic billing systems.
Since the attack was discovered, Mind & Motion has not received any reports from patients to suggest that any of their PHI has been stolen and misused. The attack is believed to have been performed with the purpose of extorting money from Mind & Motion and patients are not expected to experience any negative effects from the attack.
In response to the security breach, and as instructed by its IT vendor, Mind & Motion has reset all passwords and implemented controls to ensure complex passwords are set on all accounts in the future. A policy has also been introduced to force users to change passwords more frequently. Computers and servers have professional anti-malware solutions installed and will be regularly scanned. Mind & Motion has also implemented encryption on all its computers and the latest anti-spam technology has been deployed to protect against phishing attacks.
Promptly after the breach was detected, Mind and Motion hired a compliance consulting firm to make sure that all requirements of HIPAA were satisfied. The consulting firm will be administering further HIPAA compliance training to all staff within 30 days.
A breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights on November 30, 2018 and all affected patients have been notified about the breach by mail. The OCR breach report indicates up to 16,000 patient records were potentially compromised.