Otolaryngology Associates Data Breach Affects Almost 317,000 Patients
A cyber threat actor has tried to extort money from the Indiana ENT specialists, Otolaryngology Associates, after gaining access to its network and exfiltrating patient and employee data. Otolaryngology Associates said its security system generated alerts about a potential intrusion on February 17, 2024, a few hours after the threat actor gained access to the network. Immediate action was taken to secure the network and block the attack, and at no point was access to the network prevented.
Three days later on February 20, and again on February 21, a threat actor made contact and claimed to have stolen data in the attack and threatened to publish the stolen data if the ransom was not paid. Third-party forensic experts were engaged to investigate the breach and they determined that the threat actor had not manually accessed files on the network but had run programs that exfiltrated data from internal systems.
The forensic investigation was able to narrow down the data that may have been exfiltrated, but it was not possible to determine exactly what types of data had been taken. The review of the files on the compromised parts of the network revealed they contained the protected health information of 316,802 individuals. For the majority of the affected individuals, the information potentially stolen in the attack was limited to information contained in billing records, which do not include Social Security numbers or driver’s license numbers. The exposed information was limited to names, OA medical record numbers, service codes, date(s) of service, treating physician names, appointment locations, insurance company names, and the dollar amount of charges.
A subset of the affected individuals may have had one or more of the following exposed: Social Security number, driver’s license number, address, email address, telephone number, date of birth, appointment schedule, referral forms, and/or insurance plan numbers. Affected employees may have had their bank account information and payroll information exposed. The individual notification letters state the types of information that have been exposed. OA Facial Plastics patients were not affected as OA Facial Plastics systems were not accessed by the attacker.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Otolaryngology Associates said it has implemented additional security measures to prevent further attacks and has instructed a cybersecurity firm to monitor the dark web for any release of patient data. At the time of issuing the notifications, no patient data has been publicly released.