HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

19,000 Impacted by Medical Oncology Hematology Consultants Ransowmare Incident

A server and several workstations used by Newark, Delaware-based Medical Oncology Hematology Consultants (MOHC) have had sensitive data encrypted by ransomware.

The ransomware attack was discovered on July 7, 2017, although the attack first started around three weeks previously on June 17. The attack resulted in certain electronic files being encrypted, preventing access to data.

Upon discovery of the attack, MOHC launched an investigation to determine the extent of the attack, the files affected, and whether any protected health information had been accessed or stolen. In addition to the Internal investigation, a third-party cybersecurity firm was contracted to assist with the recovery of encrypted data.

MOHC determined that some of the encrypted files contained patients’ protected health information which could potentially have been accessed during the attack. The types of information potentially compromised were limited to patients’ names, phone numbers, dates of birth, health and treatment information. In total, 19,203 patients were potentially impacted by the incident.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

MOHC notes in its substitute breach notification letter that no evidence of data access or data theft was uncovered during the investigation and no reports have been received to suggest any sensitive information has been misused.

Under HIPAA Rules, breaches of protected health information such as this must be reported to the Department of Health and Human Services’ Office for Civil Rights and breach notification letters must be sent to patients. Those notifications have now been issued.

While not required to do so under state law, MOHC has taken the decision to offer patients 12 months of free credit monitoring and related services out of an abundance of caution to protect them against identity theft and fraud.

HIPAA-covered entities should note that Delaware has recently updated its breach notification law which will require all businesses experiencing a breach of personal information to offer credit monitoring services to breach victims if their personal information is exposed. The new law has an effective date of April 14, 2018

The ransomware attack prompted MOHC to make several enhancements to its policies, procedures, and systems to improve data security. The updates included a full network password reset, revisions to its document retention policies and procedures, the implementation of a web filtering system, conducting phishing simulations on employees and providing them with further training, the implementation of a two-factor authentication system, a reevaluation of access privileges and consolidation of its servers to eliminate redundancies.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.