HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Details Emerge on Laser Dermatologic Surgery Center Data Breach

Laser & Dermatologic Surgery Center reported a data breach to Office for Civil Rights (OCR) on June 14, 2016 that impacted 31,000 patients. It was initially unclear as to the nature of the breach, although further details have now emerged.

Laser & Dermatologic Surgery Center has recently changed ownership. Prior to the new owners taking over the company the healthcare provider experienced a ransomware infection. All data were backed up and it was possible to restore all affected files from backups without paying the ransom demand.

However, the new owners’ IT department discovered that while the ransomware infection had been addressed, malware was present on its system. It is not clear whether the malware was installed by the same individuals responsible for the ransomware attack.

On March 21, 2016., after a review of access logs was conducted, it was also discovered that an unauthorized individual had gained access to the healthcare provider’s network. The first intrusion was determined to have taken place on March 1, 2016.

Please see the HIPAA Journal Privacy Policy

While no evidence was discovered to suggest that the protected health information of patients had been accessed, the possibility that ePHI had been accessed could not be ruled out. Patient names, dates of birth, home addresses, and Social Security numbers could all potentially have been accessed. The individual was discovered to have gained access to the system on several occasions.

Upon discovery of the intrusion, systems were taken offline to prevent further access while IT professionals worked to restore the security of the system. A forensic analysis was also conducted to try to determine the origin of the attack. All systems have now been secured, the malware has been removed, and external access is no longer possible.

Additional security protections have now been put in place to prevent further security breaches of this nature. Patients were alerted to the potential breach of their ePHI on June 12, 2016.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.