Share this article on:
Another healthcare organization has been attacked with ransomware, resulting in the protected health information of almost 34,000 patients being encrypted and made inaccessible.
St. Mark’s Surgical Center in Fort Myers, FL experienced the ransomware attack on April 13, 2017, which prevented patient data from being accessed until April 17, 2017. The ransomware was installed on the center’s server which contained patient’s names, dates of birth, Social Security numbers and treatment information.
An investigation into the breach was immediately conducted to determine the extent of the attack and to find out which data had been encrypted and the number of patients impacted. That investigation revealed the protected health information of 33,877 patients was potentially accessed by the attackers.
A third-party cybersecurity firm was called in to assist with the removal of the ransomware and to conduct a thorough forensic investigation. The firm was able to confirm that all traces of the malware were removed and further access to the server was blocked.
The firm also investigated whether the attack involved the accessing or theft of patient data. The investigation did not uncover any evidence to suggest any health information was stolen or viewed by the attackers, although the possibility could not be ruled out with a high degree of certainty.
As the Department of Health and Human Services’ Office for Civil Rights has explained in its guidance on ransomware and subsequent blog posts, any ransomware attack that involves the encryption of ePHI is usually reportable. St. Mark’s Surgical Center followed that guidance and reported the security incident and notified all patients affected by the security breach to allow them to take action to minimize the possibility of misuse of their data.
All patients affected by the incident have also been offered complimentary credit monitoring and related services as an additional precaution against identity theft and fraud.
Prior to the attack, St. Mark’s Surgical Center had taken steps to reduce the risk of malware and ransomware incidents, although the attackers managed to bypass those defenses. To reduce the risk of future attacks, St. Mark’s Surgical Center has taken a number of steps to improve security, including purchasing a more robust firewall, improving patch management policies and ensuring all systems are protected by the latest antivirus software. Unified threat management services are also being used and a new backup and disaster recovery system has been implemented, which performs hourly backups and stores copies of those backups offsite in redundant data centers.
The substitute breach notice indicates the medical center learned of the extent of the attack on May 8, 2017, although the breach report on the Office for Civil Rights website shows the notice was submitted on August 9.
The maximum allowable time for notifying OCR and patients of a breach of ePHI is 60 days from the discovery of the breach, although covered entities should not delay the issuing of breach notifications unnecessarily.
Deven McGraw recently explained that breach notification delays are violations of HIPAA Rules, even when breach notices are issued within 60 days. If HIPAA covered entities delay the issuing of breach notices they risk a financial penalty for the violation, as Presense Health discovered. A one-month delay in issuing breach notifications resulted in a settlement of $475,000.