The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital

Posted By on Feb 14, 2020

On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group affiliated with Boston Children’s Hospital, experienced a malware attack that caused a system outage which prevented its 500+ pediatricians, nurse practitioners, and physician assistants from accessing patient data and scheduling calendars.

PPOC has approximately 200 servers, 11 of which were impacted by the attack. IT teams at PPOC and Boston Children’s Hospital worked swiftly to contain the malware and the affected servers have now been quarantined. Servers unaffected by the attack were shut down as a precautionary measure. Boston Children’s Hospital issued a statement confirming its systems were unaffected by the attack.

Patients were advised to reschedule non-urgent appointments as health records cannot be accessed until the malware is removed and the servers are brought back online. Children’s Hospital issued a statement on Wednesday saying progress was being made restoring the servers, but it was still unclear how long the recovery process would take.

PPOC has over 100 practices across the state of Massachusetts and serves more than 350,000 patients. It is currently unclear what type of malware was involved and whether it allowed hackers to gain access to patient data.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Central Kansas Orthopedic Group Suffers Ransomware Attack

Central Kansas Orthopedic Group (CKOG) in Great Bend, KS suffered a ransomware attack in November 2019 that resulted in the encryption of patient records.

The attack was discovered on November 11, 2019. The attackers sent a ransom demand which CKOG refused to pay. All encrypted files, including patient medical records, were successfully restored from backups.

A third-party forensic investigator was retained to assist with the investigation and determine whether patient data had been accessed or copied by the attackers prior to the deployment of ransomware. The investigation uncovered no evidence to suggest the attackers accessed or stole patient data and no reports of data misuse have been received.

The types of information that could potentially have been accessed included names, addresses, email addresses, dates of birth, state-issued ID numbers, driver’s license numbers, health information related to treatment provided by CKOG, Social Security numbers, and health insurance information. All affected patients have been notified by mail and offered identity theft protection services through ID Experts.

CKOG is now reviewing its security platform and has started implementing additional security protocols to harden its security posture.

The HHS’ Office for Civil Rights breach portal shows 17,214 patients were potentially affected by the attack.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist