HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access

Central Colorado Dermatology (CCD) has notified more than 4,000 patients that some of their protected health information (PHI) has potentially been accessed by hackers during a ransomware attack on its computer network.

An unauthorized individual gained access to CCD’s computer network and deployed ransomware on a server. Medical records and patients’ medical charts were not accessed, although certain files and scanned fax communications were encrypted. Some of those files contained PHI.

An investigation was launched to determine whether protected health information was accessed or stolen although it was not possible to determine with a high degree of certainty whether any PHI was viewed or copied. CCD did not uncover any evidence to suggest that PHI had been accessed or stolen, although some of the software that had been installed on its network could have allowed files to be downloaded.

The files that could have been accessed including the following information: Names, addresses, contact telephone numbers, dates of birth, email addresses, Insurance information, Social Security numbers, insurance payment codes and costs, dates of service, clinical information, medical conditions, diagnoses, treatment information, lab test results, diagnostic studies, copies of CCD reports and notes, and information sent to CCD from other healthcare providers by fax.

Please see the HIPAA Journal Privacy Policy

The investigation determined that remote access was gained to a single server on June 5, 2018 and ransomware was deployed the same day.

Upon discovery of the attack, steps were taken to secure the network and block remote access and a cybersecurity firm was retained to investigate the attack. After systems were secured and the malicious software was removed, the cybersecurity firm continued to monitor the network for several weeks to ensure that no further attempts were made to access the system. During that time, no further intrusions were detected and no suspicious network activity was identified.

In response to the attack, CCD has changed its password requirements and how its network can be accessed, new anti-virus software has been installed, and further upgrades to system security have been made. That process is continuing, guided by IT security specialists. Changes have also been made to its fax software to ensure that digital copies of faxes are not automatically stored on its network.

Because unauthorized PHI access and theft of files could not be ruled out, notification letters were sent to all 4,065 patients whose PHI could potentially have been accessed. All patients affected by the breach have been offered one year of credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.