25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Medical Billing Service Provider Suffers Ransomware Attack

Posted By on Apr 26, 2019

Doctors’ Management Service Inc., a Massachusetts-based provider of medical billing services, discovered on December 24, 2018, that malicious software had been downloaded to its network which prevented files from being accessed.

An investigation into the security incident was initiated which determined GandCrab ransomware had been deployed. Files were recovered from backups and no ransom was paid.

The investigation also revealed that the individual responsible for installing the ransomware had first gained access to its systems on April 1, 2017, 20 months before ransomware was deployed. Access to the network was gained via Remote Desktop Protocol (RDP) on one of its workstations.

Parts of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which included names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The attack appeared to have been timed to ensure the attack would not be immediately detected. The deployment of ransomware could have been an attempt to extort money after the hackers’ other objectives had been achieved.

Doctors’ Management Service explained in its breach notification letter that no unauthorized server access was detected until the ransomware was deployed on December 24, and the forensic investigation did not uncover any evidence of data access nor exfiltration of patient data, although the forensic investigators could not rule out the possibility of data theft.

Third-party computer security experts have been consulted and have made recommendations on how network security can be improved. The company will implement additional controls to prevent further security breaches and staff will continue to be educated on security threats.

Impacted clients and patients have been notified about the incident and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary on the OCR website indicates 206,695 patients have been impacted by the breach.

 

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist