HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack

Somersworth, New Hampshire-based Atlantic Digestive Specialists is one of the latest healthcare organizations to report a ransomware attack that has potentially resulted in the protected health information of patients being accessed.

The ransomware attack was discovered on February 20, 2017 although a subsequent investigation revealed that the ransomware was installed on February 18. The infection took two days to resolve, during which time access to certain computer systems was limited. All traces of the ransomware were removed from its systems by February 22, 2017.

Atlantic Digestive Specialists hired a third-party cybersecurity firm to conduct a thorough investigation of the attack to determine how the infection occurred, the extent of the attack, and which files were potentially accessed by the attackers.

The investigation revealed files containing patients’ names, addresses, telephone numbers, medical record numbers, clinical and diagnostic information, health insurance details, and in some cases, Social Security numbers were encrypted.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation uncovered no evidence to suggest any sensitive data were accessed or stolen by the attackers, and no reports have been received to suggest any patients’ protected health information has been misused. Since the possibility of data theft could not be ruled out with a high degree of certainty, all affected patients have been advised to be vigilant for signs of fraudulent activity. Out of an abundance of caution, patients have been offered credit monitoring services to protect them against identity theft and fraud.

Over the past few weeks, several small healthcare practices have been attacked with ransomware. While in most cases data have been recovered from backups and no ransom has been paid, the attacks have resulted in considerable disruption and sizable breach resolution costs.

Regular backups of data should be performed to ensure no ransom needs to be paid in the event of an attack and small healthcare organizations should consider augmenting their defenses against ransomware.

Since the majority of ransomware attacks occur via email, staff should be advised to exercise caution and not to open any email attachments from unknown senders, never to enable macros on emailed office documents, and to be wary of hyperlinks sent via email..

Information on how HIPAA Rules apply to ransomware attacks is available from the Department of Health and Human Services on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.