HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Almost 12,000 Records Compromised in Two New Ransomware Attacks

In the past two weeks, two further healthcare organizations have announced that they have experienced ransomware attacks that potentially resulted in the protected health information of patients being accessed by cybercriminals. A combined 11,843 patient records were exposed in the two attacks.

The first incident affects PVHS-ICM Employee Health and Wellness, LLC. Ransomware was installed on a server at a single UCHealth walk-in clinic in Fort Collins, CO. The ransomware attack was discovered on May 4, 2017, with the crypto-ransomware believed to have been installed the same day.

A third-party computer expert was called in to help remove the ransomware and conduct a forensic investigation of the affected server. That investigation revealed the data stored on the server dated back to September 23, 2014 and included the protected health information of 10,143 individuals. PVHS-ICM has not indicated whether the ransom was paid.

The protected health information on the server included patients’ names, home addresses and other demographic information along with health records, including diagnoses and treatment information. Some patients’ Social Security numbers were also stored on the server.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In its substitute breach notice, PVHS-ICM said the forensic investigation did not uncover any evidence to suggest the attackers gained access to the ePHI of patients and there were no signs that any data were stolen in the attack. However, as is often the case with ransomware attacks, it was not possible to rule out the possibility that data were accessed or stolen with a high degree of confidence.

As is required by HIPAA Rules in such cases, patients must be notified that their ePHI was potentially compromised. Out of an abundance of caution, all patients affected by the incident have been offered complementary identity monitoring and identity theft remediation services for 12 months through ID Experts.

PVHS-ICM has taken steps to prevent further ransomware attacks including taking the server offline and creating an encrypted backup of all sensitive information on the server. That backup will be stored in a secure location.

GI Care for Kids Endoscopy Center Suffers Ransomware Attack

The Atlanta, Georgia-based GI Care for Kids Endoscopy Center also recently announced it had discovered ransomware on its systems. The ransomware attack occurred on April 28, 2017 and was discovered the same day.

A forensic investigation by third-party security experts found no evidence of data access or theft, with the investigators believing the attackers only used the ransomware to encrypt patient records in order to extort money from the company. While the attackers are not believed to have stolen or viewed data, the possibility could not be totally ruled out.

The investigation revealed the ePHI of 1,700 patients was encrypted by the ransomware. The affected computers and servers did not contain any Social Security numbers or financial information; however, patients’ names, telephone numbers, addresses, birth dates, ages, and medical information such as health histories and diagnoses could potentially have been accessed.

Affected patients have now been notified of the incident in accordance with HIPAA Rules. GI Care for Kids Endoscopy Center told patients no further actions are required to protect against possible harm, although, affected patients can obtain credit reports, place fraud alerts on credit accounts and should monitor their financial accounts closely if they are concerned about fraud following the ransomware attack.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.