HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Farmington Medical Group Confirms Cyberattack

Last month, a series of cyberattacks were discovered to have occurred when healthcare databases were put up for sale on the Darknet marketplace TheRealDeal. The attacks were conducted by a hacker operating under the name TheDarkOverlord (TDO).

The names of the organizations that had been attacked were not initially disclosed, although the locations of the organizations were included in the darknet listings.

Initially, three healthcare organizations were believed to have been attacked, although the data from a much larger attack on a health insurer was posted a few days later. The initial listings on TheRealDeal included 48,000 records from a healthcare organization in Farmington, Missouri; 210,000 records from a healthcare organization in the Central/Midwest region of the U.S.; and 397,000 records from a healthcare organization in Georgia. The fourth posting contained 9.3 million records from an unnamed U.S. health insurer.

The healthcare organization in Georgia, Athens Orthopedic Clinic, has already announced that it was recently attacked. Now the Farmington healthcare group – Midwest Orthopedics Group – has also announced that it experienced a recent cyberattack.

Please see the HIPAA Journal Privacy Policy

Midwest Orthopedics Group includes a number of healthcare companies including Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; MidWest Orthopedic Pain & Spine; and Select Pain & Spine.

TheDailyJournal reports that Dr. Christopher T. Sloan, D.P.M., sent breach notification letters to all 48,000 patients this week to alert them to the breach of their ePHI.

Patients were informed that the breach was first discovered on May 27, 2016 and the information compromised in the attack included names, dates of birth, addresses, Social Security numbers, Medical diagnoses, laboratory test results, medical records, and possibly also financial information.

An investigation into the breach was launched and it appears that the cyberattack occurred on May 4, 2016. The attack was conducted via a third party contractor, according to the breach notice.

The breach notices explain that there has been no reported misuse of any patient data although it fails to mention that the data are being offered for sale on the darknet. It is unclear whether any of the data have actually been sold by TDO.

Patients were told “We are investigating how this breach happened by conducting internal and external security vulnerability checks and we are working closely with the FBI to determine the source of the hack.”

Action has been taken to secure records since the attack has taken place and additional security measures employed to prevent future breaches. Passwords were changed, system-wide security audits were conducted, and security policies were revamped.

Patients have been instructed to obtain credit reports and to check their accounts for any sign of fraudulent activity.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.