Almost 10,000 Patients Impacted by Nebraska Ransomware Attack

Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska have experienced a ransomware attack that has potentially resulted in the protected health information of almost 10,000 patients being accessed by the attackers.

The ransomware attack occurred on October 7, 2017 and saw a wide range of files on some servers being encrypted by the ransomware. A ransom demand was issued by the attackers, although it was not paid. The encrypted files were restored from a recent backup to allow services to be continued to be offered to patients.

Third-party computer forensics professionals were called in to assist with the investigation of the attack to determine whether the attackers gained access to, viewed, or copied patient information and to investigate how access to the servers was gained and how the ransomware was installed.

The investigation did not uncover evidence to suggest any patient health information was stolen, but data access could not be ruled out with a high degree of confidence. Consequently, the incident was reportable to the Department of Health and Human Services’ Office for Civil Rights under HIPAA Rules and notifications to patients were warranted. Those notifications have now been mailed.

Eye Physicians reports that the breach involved information such as names, dates of birth, and ophthalmic imagery, and that no financial information or Social Security numbers were exposed.

As a result of the attack, an external IT security consultant was contracted to conduct a comprehensive security risk assessment to identify potential vulnerabilities, and hardware and software have been upgraded as a result of that assessment. It is hoped that the improvements to security will help to prevent similar incidents from occurring in the future.

The incident affected 7,721 patients of the Columbus Surgery Center and 2,620 patients of Eye Physicians, according to the breach reports submitted to OCR.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.