Airway Oxygen Inc. Ransomware Attack Impacts up to 500,000 Individuals

A ransomware attack on the Wyoming, MI-based medical supply company Airway Oxygen Inc., in April 2017 has potentially resulted in the protected health information of 500,000 individuals being accessed by the attackers.

No evidence of data access or theft was uncovered by Airway Oxygen, although it was not possible to rule out the possibility that information was compromised in the attack.

The attackers gained access to the company’s technical infrastructure on April 18, 2017 and installed ransomware. The part of the network affected was discovered to contain protected health information including names, addresses, birth dates, contact telephone numbers, medical diagnoses, health insurance policy numbers and details of the services the company provided to patients. Financial information and Social Security numbers were not exposed.

Upon discovery of the cyberattack, immediate action was taken to prevent further network intrusions and a scan of the entire system was performed to search for any additional malware. Passwords for users, vendors and applications were changed as a precaution. Airway Oxygen has reported the incident to the FBI and has brought in a third-party cybersecurity company to conduct a full investigation to determine how the ransomware was installed and the impact of the breach.

The incident has prompted Airway Oxygen to update its security tools and deploy new security protections to prevent future attacks. A firewall review has been scheduled and a new system has been installed to monitor suspicious firewall activity. That system will issue alerts if suspicious firewall activity is detected. The firm will also continue to review its security protections to reduce the risk of future incidents occurring.

Affected individuals were notified of the breach this month and provided with information on the steps they can take to secure their accounts and prevent fraud. While the attackers are not believed to have viewed PHI, affected individuals have been advised to monitor all their healthcare and financial accounts for suspicious activity.

Airway Oxygen Inc., has not released details about the type of ransomware involved, the ransom amount demanded by the attackers or whether the ransom was paid.

Last year, the HHS’ Office for Civil Rights issued guidance for covered entities on ransomware attacks, explaining that a ransomware attack that results in the encryption of data is a reportable security incident unless the covered entity had encrypted PHI prior to the ransomware attack occurring or it can be demonstrated, by means of a risk assessment, that there is a low risk of PHI having been accessed, used, disclosed or modified. Following the WannaCry ransomware attacks last month, OCR reconfirmed that ransomware attacks are usually reportable incidents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.