Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients

A Coastal Cape Fear Eye Associates ransomware attack has seen the protected health information of 925 patients compromised.

North Carolina’s Coastal Cape Fear Eye Associates, P.A., discovered its systems had been breached on December 5. 2017. Upon discovery of the ransomware attack, Coastal Cape Fear Eye Associates brought in external IT professionals to contain the attack and remove the ransomware. The IT consultants were able to limit the harm caused and the malware was removed, although some files remained locked and inaccessible for some time.

According to a substitute breach notice uploaded to the healthcare provider’s website on February 1, 2018, the delay in issuing notifications to affected patients was because it was not possible to access certain files to determine what information was involved and which patients were affected. Coastal Cape Fear Eye Associates has only recently been able to access all encrypted files.

Under HIPAA Rules, healthcare organizations are required to report ransomware attacks unless the attacked entity establishes there was a low probability of PHI being compromised. Ransomware typically blindly encrypts files and file access is not normally involved, even so, the Department of Health and Human Services’ Office for Civil Rights has released guidance on ransomware attacks that indicate – in most cases – ransomware attacks should be reported and patients notified.

In this case, the investigation into the attack revealed that data access was likely to have occurred, although no evidence was uncovered to suggest any information had been stolen by the attacker.

The files contained a wide range of highly sensitive information including names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, insurance card numbers, driver’s license numbers, emergency contact details, ethnicities, medications, medical histories, diagnosis records, physician notes, billing and payment histories, legal documents, and scanned copies of driver’s licenses, insurance cards and Medicare cards.

Coastal Cape Fear Eye Associates and its IT consultants are continuing to investigate the attack and will be implementing additional security controls to prevent future security breaches of this nature.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.