HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Eye Institute of Marin Notifies Patients of Ransomware Data Loss

The San Rafael, CA-based Eye Institute of Marin has informed some of its patients that a ransomware attack on its electronic medical record provider has potentially resulted in some of their electronic protected health information being accessed by the attackers.

The EMR system contained a considerable amount of sensitive patient data including names, telephone numbers, addresses, birth dates, race, gender, Social Security numbers, medical histories, medical diagnoses, prescription information, health insurance details, health visit information, charges and payment details, and emergency contact information. No financial information or credit/debit card numbers were exposed as these were stored separately in a different system.

The incident was investigated at the time by a third party computer forensics company. The firm’s analysis of the attack did not uncover any evidence to suggest that patient data were accessed or copied by the attackers, although the possibility of data access could not be ruled out entirely.

The ransomware attack took place on July 26, 2016. The electronic medical record provider discovering the attack the following day. Systems were rapidly secured following the attack and data were restored from backup files.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Eye Institute of Marin was notified of the malware attack by its EMR provider on August 22, 2016. Further information about the incident was requested from the EMR provider, including details of the patients that had been affected. On September 14, Eye Institute of Marin discovered that the malware attack involved ransomware.

Eye Institute of Marin also discovered that some patient data were irrevocably lost. The majority of patient data were restored from backup files, although some patients’ consultation notes could not be recovered from the backup files.

The data that were lost included clinical histories, vital signs, and records of communications with patients. Details of refraction examinations may also have been lost. Patients whose data were lost had visited the Eye Institute of Marin between 7/11/16 and 7/26/16.

The Eye Institute of Marin did notify patients of the data loss on October 18, 2016, although breach notification letters have now been sent to all Eye Institute of Marin patients regarding the ransomware infection in accordance with HIPAA Rules. A press release was also issued on November 18 alerting the media to the possible data breach.

Eye Institute of Marin has confirmed that its EMR provider has appropriately secured its systems and policies and procedures have been reviewed. While credit monitoring and identity theft protection services have not been offered to patients, the Eye Institute of Marin has suggested patients place a credit freeze on their accounts and obtain a credit report from one of the three credit monitoring agencies if they are concerned about possible misuse of their data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.