Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals.

The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016.

A computer server was attacked and infected which resulted in files containing patients’ names, telephone numbers, dates of service, payment amounts, and details of services provided being encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 11,400 patients have been impacted.

Upon discovery of the incident, passwords were reset and action was taken to isolate the affected server. Fortunately, the center was able to switch to a backup system while the infection was resolved. According to the substitute breach notice posted on the company website, an investigation into the attack was immediately launched and an external cybersecurity firm was hired to conduct a forensic investigation.

While PHI may have been accessed by the attackers, the cosmetic surgery center has not received any reports to suggest any PHI has been used inappropriately.

Ransomware attacks are reportable breaches under HIPAA Rules. Covered entities are required to notify patients of a ransomware attack that potentially results in their PHI being compromised, and OCR must be notified. If the potential breach impacts more than 500 individuals, a notice must be issued to the media and a substitute breach notice placed on the company’s website.

As with other breaches of PHI, the HIPAA Breach Notification Rule allows covered entities up to 60 days to issue a notification to OCR and to inform patents of a ransomware attack if PHI has been compromised.

Yet in this instance, patients were not notified of the attack until December 27, 2016, almost four months after the attack was discovered. Office for Civil Rights was notified of the incident on the same day. It is unclear why notifications were delayed for so long.

Office for Civil Rights has not previously taken action against healthcare organizations solely for delaying breach notifications, although yesterday OCR announced a settlement had been reached with Presence Health of Illinois for the failure to issue breach notifications within the 60-day Breach Notification Rule reporting period. In the case of Presense Healthcare, breach notifications were issued around 100 days after the breach was discovered. Presense Health agreed to settle potential HIPAA violations for $475,000.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.