Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients.

Columbia Surgical Specialists learned of the ransomware attack on January 9, 2019. The security breach was immediately investigated and assistance was provided by IT security provider Intrinium.

Files encrypted by the ransomware were found to contain patient information, which included names, driver’s license numbers, Social security numbers and other types of protected health information.

Columbia Surgical Specialists told HIPAA Journal that the data security firm “went through our systems with a fine-tooth comb,” and concluded that patient data had not been stolen by the attackers. “but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee.” Columbia Surgical Specialists believes the risk to patients is very low, and notifications were sent to patients out of an abundance of caution.

The vulnerability that was exploited to gain access to the network server to install the ransomware has been addressed and Columbia Surgical Specialists is continuing to review internal protocols and procedures to prevent any future attacks.

Columbia Surgical Specialists has been very open about the breach and confirmed that in order to recover patient files, the decision was taken to pay the ransom demand. $14,649.09 was paid in cryptocurrency to decrypt file that had been encrypted by the ransowmare.

“We received notice from the people that encrypted the files just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee,” explained Columbia Surgical Specialists. “We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data.”

The breach notification sent to patients provide some insight into the nature of breach investigations and why it often takes so long to issue notifications to patients. Columbia Surgical Specialists explained “We’ve learned this type of attack unfolds slowly, in fits and starts, and thus the IT experts investigating the situation find bits of evidence that they piece together to learn what happened.” It takes time for the full scale and extent of an attack to become known, including which information was involved and who was potentially affected.

The security breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 18, 2019. After investigating the breach, Columbia Surgical Specialists determined that the number of individuals who had potentially been affected by the breach was actually much lower.

Mary Free Bed Rehabilitation Hospital, McLaren Health Care, and Health Alliance Plan Affected by Wolverine Solutions Ransomware Attack

Health Alliance Plan in Detroit, MI, McLaren Health Care in Grand Blanc, MI, and Mary Free Bed Rehabilitation Hospital in Grand Rapids, MI, have announced that some of their patients have had some of their protected health information exposed as a result of a ransomware attack on the Detroit-based billing services provider, Wolverine Solutions Group.

Wolverine Solutions Group experienced a ransomware attack on or around September 23, 2018, which resulted in the encryption of files on its servers and workstations. The attack is affected around 700 of its clients and a total of around 1.2 million patients and health plan members have had their PHI exposed, according to databreaches.net.

Due to the scale of the attack and the difficulty recovering encrypted files, it has taken some time to issue notifications to all affected clients. Wolverine Solutions started sending notifications to affected clients in November, although many clients have only recently learned about the number of individuals affected and the amount of PHI that was exposed.

In February, Health Alliance Plan learned that 120,344 of its plan members had been affected by the breach. Names, addresses, dates of birth, member ID numbers, healthcare provider names, patient ID numbers and claim information were exposed.

4,755 patients of Mary Free Bed Rehabilitation Hospital were affected. Names, addresses, billing numbers, and insurance providers’ names were exposed. A quarter of affected patients also had their Social Security number exposed.

McLaren Health Care patients had names, addresses, phone numbers, dates of birth, social security numbers, insurance information, and some medical information exposed. It is currently unclear how many of its patients were affected.

While PHI could have potentially been viewed, Wolverine Solutions Group believes the attack was conducted with the sole purpose of obtaining a ransom payment. However, since data access and theft could not be ruled out, Wolverine Solutions Group has offered affected individuals 12 months of credit monitoring and identity repair services without charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.