HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Californian Healthcare Provider Informs Patients of Ransomware Attack

Yuba Sutter Medical Clinic in Yuba City, California has reported a recent ransomware attack that resulted in certain parts of its network being taken out of action. Prompt action was taken to restore all encrypted files. Systems were only out of action for a short while. However, due to the inability to access patient data, patients did experience delays in receiving treatment.

The attack occurred on or around August 3, 2016 and resulted in the encryption of internal clinical data and patient health information. All data were backed up and could be restored without any data loss or data corruption, although appointments needed to be rescheduled for some patients.

The decision was taken to delay notifying patients while an investigation was conducted and appropriate authorities were notified of the incident. Federal law enforcement authorities are continuing to investigate the incident and an policy review and internal investigation into the incident is ongoing.

Under HIPAA Rules, ransomware attacks on healthcare organizations are reportable unless the covered entity can demonstrate the risk of PHI being compromised was low. In this case, since access to patient data was prevented, the Department of Health and Human Services’ Office for Civil Rights was notified and breach notification letters have now been sent to all affected patients.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The PHI that was encrypted included the names of patients along with their billing information, insurance details, home addresses, and phone numbers. The investigation into the attack did not uncover any evidence to suggest that any patient data were exfiltrated, although the possibility cannot be ruled out.

Patients have been advised to obtain credit reports to check for any suspicious activity and to place fraud alerts on credit files as a protection against identity theft and fraud. Following the ransomware attack, Yuba Sutter Medical Clinic conducted a full review of its policies, procedures and security systems. Additional measures have now been adopted to enhance the security of its computer systems and reduce the risk of future attacks being suffered.

Healthcare organizations are being actively targeted by hackers with increasing regularly. Many hospitals and medical facilities have reported having data encrypted by ransomware in 2016. In July 2016, the HHS issued guidance for covered entities on ransomware. The guidance suggests best practices to adopt and steps that can be taken to reduce the likelihood of ransomware being installed on healthcare networks. Advice is also provided on what to do if ransomware is installed on the network. The guidance can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.