Betty Jean Kerr People’s Health Centers Ransomware Attack Impacts 152,000 Patients
St Louis, MO-based Betty Jean Kerr People’s Health Centers experienced a ransomware attack on September 2, 2019 that prevented staff at its health centers from accessing certain types of patient, provider, and employee information.
The security incident was detected on September 3 and law enforcement was notified. A ransom demand was received, but the decision was taken not to pay. A third-party IT firm was engaged to assist with recovery, but it has not been possible to recover the encrypted data. The encrypted data is considered to have been permanently lost, unless a decryptor is developed by security researchers that allows files to be recovered. No mention has been made about the type of ransomware used in the attack and if backup files were also encrypted in the attack.
The investigation revealed the following types of information had been encrypted in the attack: Patient names, addresses, dates of birth, Social Security numbers, pharmacy data, health insurance information, dental x-rays, and a limited amount of clinical data. Affected patients had received medical services at Betty Jean Kerr People’s Health Centers between 2011 and September 2, 2019. The attack did not affect its electronic medical record system.
Healthcare providers affected by the breach had sought to be credentialed by People’s Health Centers between 2010 and September 2019. Names, addresses, and Social Security numbers provided by those healthcare organizations were also encrypted, as were the names, addresses, and Social Security numbers of individuals employed by People’s Health Centers between 2012 and September 2, 2019.
People’s Health Centers has confirmed that patient data, provider data, and employee information was encrypted, but it was not possible to determine whether the attackers accessed or copied any data during the attack. The individual(s) responsible for the attack is believed to be based outside the United States.
In total, up to 152,000 individuals have had their sensitive data exposed. People’s Health Centers is offering 12 months of free credit monitoring services to individuals affected by the breach.