Eye Institute of Marin Notifies Patients of Ransomware Data Loss

Share this article on:

The San Rafael, CA-based Eye Institute of Marin has informed some of its patients that a ransomware attack on its electronic medical record provider has potentially resulted in some of their electronic protected health information being accessed by the attackers.

The EMR system contained a considerable amount of sensitive patient data including names, telephone numbers, addresses, birth dates, race, gender, Social Security numbers, medical histories, medical diagnoses, prescription information, health insurance details, health visit information, charges and payment details, and emergency contact information. No financial information or credit/debit card numbers were exposed as these were stored separately in a different system.

The incident was investigated at the time by a third party computer forensics company. The firm’s analysis of the attack did not uncover any evidence to suggest that patient data were accessed or copied by the attackers, although the possibility of data access could not be ruled out entirely.

The ransomware attack took place on July 26, 2016. The electronic medical record provider discovering the attack the following day. Systems were rapidly secured following the attack and data were restored from backup files.

Eye Institute of Marin was notified of the malware attack by its EMR provider on August 22, 2016. Further information about the incident was requested from the EMR provider, including details of the patients that had been affected. On September 14, Eye Institute of Marin discovered that the malware attack involved ransomware.

Eye Institute of Marin also discovered that some patient data were irrevocably lost. The majority of patient data were restored from backup files, although some patients’ consultation notes could not be recovered from the backup files.

The data that were lost included clinical histories, vital signs, and records of communications with patients. Details of refraction examinations may also have been lost. Patients whose data were lost had visited the Eye Institute of Marin between 7/11/16 and 7/26/16.

The Eye Institute of Marin did notify patients of the data loss on October 18, 2016, although breach notification letters have now been sent to all Eye Institute of Marin patients regarding the ransomware infection in accordance with HIPAA Rules. A press release was also issued on November 18 alerting the media to the possible data breach.

Eye Institute of Marin has confirmed that its EMR provider has appropriately secured its systems and policies and procedures have been reviewed. While credit monitoring and identity theft protection services have not been offered to patients, the Eye Institute of Marin has suggested patients place a credit freeze on their accounts and obtain a credit report from one of the three credit monitoring agencies if they are concerned about possible misuse of their data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On