PHI of 750,000 Patients of Oregon Anesthesiology Recovered Following Ransomware Attack

On July 11, 2021, Oregon Anesthesiology Group discovered it was the victim of a ransomware attack. Files on its systems had been encrypted which prevented access to its servers and patient data.

Following the attack, its IT infrastructure was reconstructed and offline data backups were used to promptly restore the affected files. A digital forensics firm was engaged to investigate the breach and it was confirmed that patient and employee information had been compromised, with the affected parts of its network found to contain files that included names, addresses, dates of service, diagnosis and procedure codes and descriptions, medical record numbers, insurance provider names, and insurance ID numbers. Employee data potentially compromised in the attack included names, addresses, Social Security numbers, and other information contained in W-2 forms.

The forensic investigation revealed that once the hackers had gained access to its network, they data-mined administrator credentials which allowed them to access encrypted data on its network. The FBI told Oregon Anesthesiology Group that the attackers most likely exploited a vulnerability in its third-party firewall to gain access to its network.

In response to the breach, the firewall was replaced, multi-factor authentication was implemented more comprehensively, network access control policies were upgraded, and a third-party vendor was engaged to provide 24/7 real-time security monitoring and gave advice on security system architecture, enhanced data and network segregation, and increased use of cloud-based infrastructure.

Oregon Anesthesiology Group sent notification letters to approximately 750,000 patients and 522 current and former employees. While no evidence of attempted or actual misuse of patient data has been found, identity theft protection and credit monitoring services have been provided to affected individuals, who will also be covered by an identity theft insurance policy.

In order to recover data stolen by ransomware gangs, it is usually necessary to pay the ransom demand. In this case, however, the ransom was not paid but Oregon Anesthesiology Group was notified by the FBI on October 21, 2021, that it had seized “an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files.” It is unclear if the seized account contained the only copy of the stolen data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.