25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Cleveland Medical Associates Attacked with Ransomware

Posted By on Jun 30, 2017

Another healthcare organization has experienced a ransomware attack in which the protected health information of patients was potentially accessed. Ransomware is typically installed for the purpose of extortion rather than the theft of data; however, even if data theft is not suspected, ransomware attacks are reportable security incidents under HIPAA Rules and patients must be notified per the HIPAA Breach Notification Rule.

Cleveland Medical Associates does not believe any data were stolen in its attack and no evidence has been uncovered to suggest that the PHI of patients was compromised. However, since it is not possible to rule out the possibility of a PHI being accessed with a high degree of certainty, the incident has been reported to the HHS’ Office for Civil Rights and patients are being notified of the cyberattack.

The ransomware attack was discovered on April 21, 2017 with ransomware believed to have been installed the previous evening.  The ransomware was installed on a server than contained the protected health information of 22,000 patients. Medical services were not disrupted as a result of the attack.

A third-party cybersecurity firm was contracted to conduct a forensic investigation of the attack to determine which data were potentially compromised and the extent of the infection. That investigation revealed the server contained names, addresses, contact telephone numbers, Social Security numbers, insurance billing information, email addresses, medical records and other clinical information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident was reported to the FBI and appropriate state and federal agencies have been notified. While data theft is not suspected, as a precautionary measure Cleveland Medical Associates is offering all patients 12 months of complimentary credit monitoring services through Equifax, which include an identity theft insurance policy.

The incident has prompted the healthcare provider to conduct a full review of its security procedures and a new medical record system is now being implemented.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist