The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack

Posted By on May 25, 2018

Rochester, MN-based Associates in Psychiatry and Psychology (APP) has experienced a ransomware attack that affected several computers containing patients’ protected health information.

The ransomware attack was discovered on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no evidence was uncovered to suggest any protected health information was accessed or copied by the attackers.

Since it was not possible to rule out data access with 100% certainty, all patients whose data were stored on the affected devices have been notified of the security breach. The types of information potentially accessed includes names, birth dates, addresses, Social Security numbers, insurance information, and treatment records.

APP acted promptly when the attack was discovered and took its systems offline to prevent the spread of the ransomware and limit the potential for further encryption of data and data theft. APP’s systems remained offline for four days while the attack was assessed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

APP notes in its Q&A about the incident that the attack is believed to have commenced between the evening of Friday, March 30 and the morning of Saturday, March 31. The type of ransomware used in the attack was “Triple-M.” APP explained that this variant of ransomware uses the RSA-2048 encryption protocol and extremely long keys to encrypt data. The system restore function was also disabled and the attackers reformatted the network storage device that was used to store backups.

APP’s IT Director, Steve Patton, confirmed to databreaches.net that the ransom was paid as it was not possible to restore files from backups due to the actions taken by the attackers. Initially, a ransom demand of 4 Bitcoin was issued – Around $30,000 – although the practice managed to negotiate with the attackers and paid 0.5 BTC (approx. $3,758) for the keys to recover the encrypted data.

All systems and data have now been restored, additional layers of security and encryption have been implemented, and APP’s remote access policies have been updated.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 6,546 patients were potentially impacted. APP notes that there was clear evidence that protected health information was not viewed by the attackers; however, as a precautionary measure, APP has suggested affected individuals monitor their credit reports for any sign of fraudulent use of their information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist