Colorado Practice Hacked Twice in a Week
A family and sports medicine practice in Colorado has discovered a hacker gained access to its systems and encrypted files with ransomware.
Longs Peak Family Practice (LPFP) in Longmont CO, identified suspicious activity on its network on November 5, 2017 and took rapid action to secure its systems. However, before that was possible, the attacker ran ransomware code which encrypted files on certain parts of its network.
LPFP was prepared for such attacks, and was able to recover the encrypted files and rebuild its systems from backups. However, five days after the initial intrusion was detected, LPFP discovered a second attack had occurred, and its systems had been accessed in a second attack. Ransomware was not involved in the second incident.
While the first incident was dealt with internally, when the second attack was discovered, LPFP called in a leading computer forensics form to assist with the investigation, conduct scans for malware and backdoors, and ensure that unauthorized access to its systems was blocked.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
That investigation revealed that an unauthorized individual had accessed certain parts of LPFP’s network on November 5, 9, and 10th. The forensic investigation took until December 5 to complete, but did not uncover any specific evidence to suggest the attacker had opened any files or stolen data.
However, it was not possible to rule out data access and theft with 100% certainty, and while no evidence was uncovered to suggest the ransomware infection did anything other than blindly encrypt files, it is possible that the malware could have been used to download some computer files.
Files stored on the compromised computers included the following patient information: Names, addresses, email addresses, driver’s license details, Social Security numbers, dates of birth, internal patient ID numbers, insurance carriers, insurance payment codes and costs, dates of service, copies of notes made by LPFP physicians and other healthcare providers, medical conditions, medications, diagnoses, data from diagnostic studies, and lab test results.
Potentially, final statements for accounts that had been sent to a collection agency may have been compromised, but no financial information, invoices for medical services, or credit/debit card details were exposed.
LPFP had already implemented a range of defenses to prevent the unauthorized accessing of patient data, but these attacks revealed vulnerabilities existed in its defenses. Those vulnerabilities have now been addressed and changes have been made to how its network can be accessed. A new, enhanced firewall has been purchased and implemented, further training is being provided to staff on privacy and security, and the practice is looking into further tools and procedures that will help to improve security.
Due to the sensitive nature of the information that was potentially accessed, LPFP is offering patients 12 months of identity theft repair and credit monitoring services through AllClear without charge.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 16,238 individuals have been impacted by these incidents.
