Share this article on:
A server and several workstations used by Newark, Delaware-based Medical Oncology Hematology Consultants (MOHC) have had sensitive data encrypted by ransomware.
The ransomware attack was discovered on July 7, 2017, although the attack first started around three weeks previously on June 17. The attack resulted in certain electronic files being encrypted, preventing access to data.
Upon discovery of the attack, MOHC launched an investigation to determine the extent of the attack, the files affected, and whether any protected health information had been accessed or stolen. In addition to the Internal investigation, a third-party cybersecurity firm was contracted to assist with the recovery of encrypted data.
MOHC determined that some of the encrypted files contained patients’ protected health information which could potentially have been accessed during the attack. The types of information potentially compromised were limited to patients’ names, phone numbers, dates of birth, health and treatment information. In total, 19,203 patients were potentially impacted by the incident.
MOHC notes in its substitute breach notification letter that no evidence of data access or data theft was uncovered during the investigation and no reports have been received to suggest any sensitive information has been misused.
Under HIPAA Rules, breaches of protected health information such as this must be reported to the Department of Health and Human Services’ Office for Civil Rights and breach notification letters must be sent to patients. Those notifications have now been issued.
While not required to do so under state law, MOHC has taken the decision to offer patients 12 months of free credit monitoring and related services out of an abundance of caution to protect them against identity theft and fraud.
HIPAA-covered entities should note that Delaware has recently updated its breach notification law which will require all businesses experiencing a breach of personal information to offer credit monitoring services to breach victims if their personal information is exposed. The new law has an effective date of April 14, 2018
The ransomware attack prompted MOHC to make several enhancements to its policies, procedures, and systems to improve data security. The updates included a full network password reset, revisions to its document retention policies and procedures, the implementation of a web filtering system, conducting phishing simulations on employees and providing them with further training, the implementation of a two-factor authentication system, a reevaluation of access privileges and consolidation of its servers to eliminate redundancies.