HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack

Rochester, MN-based Associates in Psychiatry and Psychology (APP) has experienced a ransomware attack that affected several computers containing patients’ protected health information.

The ransomware attack was discovered on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no evidence was uncovered to suggest any protected health information was accessed or copied by the attackers.

Since it was not possible to rule out data access with 100% certainty, all patients whose data were stored on the affected devices have been notified of the security breach. The types of information potentially accessed includes names, birth dates, addresses, Social Security numbers, insurance information, and treatment records.

APP acted promptly when the attack was discovered and took its systems offline to prevent the spread of the ransomware and limit the potential for further encryption of data and data theft. APP’s systems remained offline for four days while the attack was assessed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

APP notes in its Q&A about the incident that the attack is believed to have commenced between the evening of Friday, March 30 and the morning of Saturday, March 31. The type of ransomware used in the attack was “Triple-M.” APP explained that this variant of ransomware uses the RSA-2048 encryption protocol and extremely long keys to encrypt data. The system restore function was also disabled and the attackers reformatted the network storage device that was used to store backups.

APP’s IT Director, Steve Patton, confirmed to databreaches.net that the ransom was paid as it was not possible to restore files from backups due to the actions taken by the attackers. Initially, a ransom demand of 4 Bitcoin was issued – Around $30,000 – although the practice managed to negotiate with the attackers and paid 0.5 BTC (approx. $3,758) for the keys to recover the encrypted data.

All systems and data have now been restored, additional layers of security and encryption have been implemented, and APP’s remote access policies have been updated.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 6,546 patients were potentially impacted. APP notes that there was clear evidence that protected health information was not viewed by the attackers; however, as a precautionary measure, APP has suggested affected individuals monitor their credit reports for any sign of fraudulent use of their information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.