HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach

Doctors’ Management Service Inc., a Massachusetts-based provider of medical billing services, discovered on December 24, 2018 that malicious software had been downloaded to its network which prevented files from being accessed.

An investigation into the security incident was initiated which determined GandCrab ransomware had been deployed. Files were recovered from backups and no ransom was paid.

The investigation also revealed that the individual responsible for installing the ransomware had first gained access to its systems on April 1, 2017, 7 months before the ransomware was deployed. Access to the network was gained via Remote Desktop Protocol (RDP) on one of its workstations.

Parts of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which included names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic information.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The attack appeared to have been timed to ensure the attack would not be immediately detected. The deployment of ransomware could have been an attempt to extort money after the hackers’ other objectives had been achieved.

Doctors’ Management Service explained in its breach notification letter that no unauthorized server access was detected until the ransomware was deployed on December 24, and the forensic investigation did not uncover any evidence of data access nor exfiltration of patient data, although the forensic investigators could not rule out the possibility of data theft.

Third-party computer security experts have been consulted and have made recommendations on how network security can be improved. The company will implement additional controls to prevent further security breaches and staff will continue to be educated on security threats.

Impacted clients and patients have been notified about the incident and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary on the OCR website indicates 206,695 patients have been impacted by the breach.

 

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.