The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Michigan Practice Forced to Close Following Ransomware Attack

Posted By on Apr 2, 2019

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors.

The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible.

The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required.

The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch.

The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to have been viewed or accessed prior to files being deleted so there is not believed to be any risk to patients; however, patients who had not obtained copies of their medical records prior to the ransomware attack will have lost all records stored by the practice.

That will naturally come at a cost to some patients, who may have to have medical tests performed for a second time. One patient at the practice told WWMT that her daughter had had surgery and she was attempting to schedule a follow up appointment when she discovered that her medical records have been lost. She must now visit another provider, but that provider will have no details about the surgical procedure.

The practice will officially close on April 30, 2019, until which point, patients can contact staff at the practice who will provide referrals.

The incident highlights just how important it is to ensure backups of all data are made. All backups must be tested to ensure they have not been corrupted and file recovery is possible.

A good best practice to adopt is the 3:2:1 approach. Create three backup copies, on two different types of media, and store one copy securely off site on an air-gapped device – One that is not networked or accessible over the internet. In the event of a ransomware attack, systems may be taken out of action and computers may need to have software reinstalled, but at least no data will be lost.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist