Share this article on:
Another healthcare organization has experienced a ransomware attack in which the protected health information of patients was potentially accessed. Ransomware is typically installed for the purpose of extortion rather than the theft of data; however, even if data theft is not suspected, ransomware attacks are reportable security incidents under HIPAA Rules and patients must be notified per the HIPAA Breach Notification Rule.
Cleveland Medical Associates does not believe any data were stolen in its attack and no evidence has been uncovered to suggest that the PHI of patients was compromised. However, since it is not possible to rule out the possibility of a PHI being accessed with a high degree of certainty, the incident has been reported to the HHS’ Office for Civil Rights and patients are being notified of the cyberattack.
The ransomware attack was discovered on April 21, 2017 with ransomware believed to have been installed the previous evening. The ransomware was installed on a server than contained the protected health information of 22,000 patients. Medical services were not disrupted as a result of the attack.
A third-party cybersecurity firm was contracted to conduct a forensic investigation of the attack to determine which data were potentially compromised and the extent of the infection. That investigation revealed the server contained names, addresses, contact telephone numbers, Social Security numbers, insurance billing information, email addresses, medical records and other clinical information.
The incident was reported to the FBI and appropriate state and federal agencies have been notified. While data theft is not suspected, as a precautionary measure Cleveland Medical Associates is offering all patients 12 months of complimentary credit monitoring services through Equifax, which include an identity theft insurance policy.
The incident has prompted the healthcare provider to conduct a full review of its security procedures and a new medical record system is now being implemented.