HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ransomware Attack Potentially Impacts 128,000 Arkansas Patients

Arkansas Oral Facial Surgery Center in Fayetteville has experienced a ransomware attack that has potentially impacted up to 128,000 of its patients.

Ransomware was believed to have been installed on its network between July 25 and 26, 2017. The attack was detected rapidly, although not before files, x-ray images, and documents had been encrypted. The incident did not result in the encryption of its patient database, except for a ‘relatively limited’ set of patients who data related to their recent visits encrypted. Those patients had visited the center for medical services in the three weeks prior to the ransomware attack.

The ransomware attack is still under investigation, although to date, no evidence of data theft has been found. Arkansas Oral Facial Surgery Center believes the sole purpose of the attack was to extort money, and not to steal data; however, it has not been possible to rule out data access or data theft with a high degree of certainty.

The files and images that were potentially accessed included information such as names, addresses, dates of birth, Social Security numbers, health insurance details, medical diagnoses, health conditions, treatment information and other clinical information. The ransomware attack has also rendered files, medical images and details of visits unavailable.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Since sensitive protected health information has potentially been accessed, patients are now being notified of the breach by mail. All impacted individuals have been offered identity repair and credit monitoring services through AllClear ID for 12 months without charge.

Arkansas Oral Facial Surgery Center has warned patients to be alert for phishing attacks in the wake of the breach and has confirmed it would not request any personal information via the telephone or email in relation to the breach. If any calls or emails are received, patients should exercise caution and treat them as potential phishing scams.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.