HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 16,600 Patients Potentially Compromised in Ransomware Attack on Andrews Braces

The Sparks, NV orthodontics practice, Andrews Braces, has experienced a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day.

The practice hired a third-party forensic investigator to assess the scope and extent of the attack and determine whether patient information had been accessed or exfiltrated prior to encryption. While it is not uncommon for ransomware attacks to involve data theft, the investigation did not uncover any evidence to suggest data had been obtained by the attackers. This appeared to be an automated attack with the sole aim of encrypting data to extort money from the practice.

The practice regularly backed up patient data and stored its backups securely, so it was possible to restore the encrypted files without paying the ransom. Data theft is not suspected but the possibility could not be ruled out, so notification letters have been sent to all affected patients. The types of data which could potentially have been accessed by the attacker included names, addresses, dates of birth, Social Security numbers, email addresses, and health information.

Andrews Braces has now implemented additional security solutions and has taken other steps to harden security to prevent further attacks in the future.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

EVERSANA Sends Notification Letters to Patients About 2019 Data Breach

EVERSANA, an independent provider of global services to the life sciences industry, has discovered an unauthorized individual gained access to the email accounts of some of its employees in 2019.

EVERSANA was notified about unusual activity in its employees’ accounts and determined that the accounts had been accessed by an unauthorized individual through a legacy technology environment. The investigation revealed the accounts were compromised between April 1 and July 3, 2019.

The accounts contained information from a limited number of patient services programs. No evidence of unauthorized data access was found, but it is possible that the attacker(s) accessed the sensitive information of certain patients. A comprehensive review of the affected accounts concluded in February and confirmed the following data elements were potentially compromised: Names, addresses, Social Security numbers, driver’s license numbers, state identification numbers, passport numbers, tax identification numbers, debit/credit card information, financial account information, usernames and passwords, health information, treatment information, diagnoses, provider names, MRN/patient ID numbers, Medicare/Medicaid numbers, health insurance information, treatment cost information, and/or prescription information.

EVERSANA has updated its legacy technology environment and has implemented further safeguards to strengthen security. Affected individuals have now been notified and offered 12 months’ complimentary membership to credit monitoring and identity restoration services.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.