HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Colorado Practice Hacked Twice in a Week

A family and sports medicine practice in Colorado has discovered a hacker gained access to its systems and encrypted files with ransomware.

Longs Peak Family Practice (LPFP) in Longmont CO, identified suspicious activity on its network on November 5, 2017 and took rapid action to secure its systems. However, before that was possible, the attacker ran ransomware code which encrypted files on certain parts of its network.

LPFP was prepared for such attacks, and was able to recover the encrypted files and rebuild its systems from backups. However, five days after the initial intrusion was detected, LPFP discovered a second attack had occurred, and its systems had been accessed in a second attack. Ransomware was not involved in the second incident.

While the first incident was dealt with internally, when the second attack was discovered, LPFP called in a leading computer forensics form to assist with the investigation, conduct scans for malware and backdoors, and ensure that unauthorized access to its systems was blocked.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

That investigation revealed that an unauthorized individual had accessed certain parts of LPFP’s network on November 5, 9, and 10th. The forensic investigation took until December 5 to complete, but did not uncover any specific evidence to suggest the attacker had opened any files or stolen data.

However, it was not possible to rule out data access and theft with 100% certainty, and while no evidence was uncovered to suggest the ransomware infection did anything other than blindly encrypt files, it is possible that the malware could have been used to download some computer files.

Files stored on the compromised computers included the following patient information: Names, addresses, email addresses, driver’s license details, Social Security numbers, dates of birth, internal patient ID numbers, insurance carriers, insurance payment codes and costs, dates of service, copies of notes made by LPFP physicians and other healthcare providers, medical conditions, medications, diagnoses, data from diagnostic studies, and lab test results.

Potentially, final statements for accounts that had been sent to a collection agency may have been compromised, but no financial information, invoices for medical services, or credit/debit card details were exposed.

LPFP had already implemented a range of defenses to prevent the unauthorized accessing of patient data, but these attacks revealed vulnerabilities existed in its defenses.  Those vulnerabilities have now been addressed and changes have been made to how its network can be accessed. A new, enhanced firewall has been purchased and implemented, further training is being provided to staff on privacy and security, and the practice is looking into further tools and procedures that will help to improve security.

Due to the sensitive nature of the information that was potentially accessed, LPFP is offering patients 12 months of identity theft repair and credit monitoring services through AllClear without charge.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 16,238 individuals have been impacted by these incidents.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.