HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cleveland Medical Associates Attacked with Ransomware

Another healthcare organization has experienced a ransomware attack in which the protected health information of patients was potentially accessed. Ransomware is typically installed for the purpose of extortion rather than the theft of data; however, even if data theft is not suspected, ransomware attacks are reportable security incidents under HIPAA Rules and patients must be notified per the HIPAA Breach Notification Rule.

Cleveland Medical Associates does not believe any data were stolen in its attack and no evidence has been uncovered to suggest that the PHI of patients was compromised. However, since it is not possible to rule out the possibility of a PHI being accessed with a high degree of certainty, the incident has been reported to the HHS’ Office for Civil Rights and patients are being notified of the cyberattack.

The ransomware attack was discovered on April 21, 2017 with ransomware believed to have been installed the previous evening.  The ransomware was installed on a server than contained the protected health information of 22,000 patients. Medical services were not disrupted as a result of the attack.

A third-party cybersecurity firm was contracted to conduct a forensic investigation of the attack to determine which data were potentially compromised and the extent of the infection. That investigation revealed the server contained names, addresses, contact telephone numbers, Social Security numbers, insurance billing information, email addresses, medical records and other clinical information.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident was reported to the FBI and appropriate state and federal agencies have been notified. While data theft is not suspected, as a precautionary measure Cleveland Medical Associates is offering all patients 12 months of complimentary credit monitoring services through Equifax, which include an identity theft insurance policy.

The incident has prompted the healthcare provider to conduct a full review of its security procedures and a new medical record system is now being implemented.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.