HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Jersey Sleep Medicine Specialists Experience Ransomware Attack

The New Jersey-based Hackensack Sleep and Pulmonary Center, specialists in sleep disorders and pulmonary conditions and diseases, has experienced a ransomware attack that resulted in the protected health information of certain patients being encrypted.

The ransomware attack occurred on September 24, 2017 and resulted in medical record files being encrypted by the virus. The attack was discovered the following day. As is typical in these attacks, the attackers issued a ransom demand, the payment of which was necessary in order to obtain the keys to unlock the encryption.

Hackensack Sleep and Pulmonary Center was prepared for ransomware attacks, and had made backups of all files, and the backups were stored securely offline. The backups were used to recover all encrypted data without paying the ransom.

While data access is a possibility with ransomware attacks, the purpose of ransomware is usually to make data inaccessible and force victims to pay for the key to unlock the encryption. Ransomware attacks typically do not involve data access or data theft. Hackensack Sleep and Pulmonary Center has no reason to believe this attack was any different. No evidence was uncovered to suggest that any data were removed from its system or viewed by the attackers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The types of information encrypted included diagnoses, notes, procedures, and patient reports, along with names, addresses, Social Security numbers, dates of birth, insurance information, credit card numbers, and account information.

Hackensack Sleep and Pulmonary Center called in a forensic expert to assist with the investigation, and recommendations have been received on additional security protections that can be deployed to prevent future incidents from occurring. Those recommendations are being considered and additional security measures will be implemented to improve security and prevent future attacks.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and the New Jersey State Police Cyber Crimes Unit, and affected individuals have been notified of the breach by mail.

The OCR breach portal indicates 16,474 patients have been impacted by the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.