Details Emerge on Laser Dermatologic Surgery Center Data Breach
Laser & Dermatologic Surgery Center reported a data breach to Office for Civil Rights (OCR) on June 14, 2016 that impacted 31,000 patients. It was initially unclear as to the nature of the breach, although further details have now emerged.
Laser & Dermatologic Surgery Center has recently changed ownership. Prior to the new owners taking over the company the healthcare provider experienced a ransomware infection. All data were backed up and it was possible to restore all affected files from backups without paying the ransom demand.
However, the new owners’ IT department discovered that while the ransomware infection had been addressed, malware was present on its system. It is not clear whether the malware was installed by the same individuals responsible for the ransomware attack.
On March 21, 2016., after a review of access logs was conducted, it was also discovered that an unauthorized individual had gained access to the healthcare provider’s network. The first intrusion was determined to have taken place on March 1, 2016.
While no evidence was discovered to suggest that the protected health information of patients had been accessed, the possibility that ePHI had been accessed could not be ruled out. Patient names, dates of birth, home addresses, and Social Security numbers could all potentially have been accessed. The individual was discovered to have gained access to the system on several occasions.
Upon discovery of the intrusion, systems were taken offline to prevent further access while IT professionals worked to restore the security of the system. A forensic analysis was also conducted to try to determine the origin of the attack. All systems have now been secured, the malware has been removed, and external access is no longer possible.
Additional security protections have now been put in place to prevent further security breaches of this nature. Patients were alerted to the potential breach of their ePHI on June 12, 2016.