Share this article on:
A ransomware attack on Cove Family and Sports Medicine and Krichev Family Medicine, P.C., in Huntsville, Alabama resulted in the medical records and personal information of 4,300 patients being encrypted.
Ransomware was installed on April 14, 2017. Cove Medicine had backed up its data and was able to reinstall its operating system and recover encrypted files from backups, without having to resort to paying the ransom.
However, while the majority of PHI could be recovered, the backup devices were connected to its system at the time of the attack and some data were encrypted. Consequently, some information could not be recovered. Lost data was restricted to internal notes taken during visits dating back two years. Cove Medicine believes all other data have been recovered and the ability to provide medical services to patients has not been affected.
Some ransomware attacks have involved data theft although, in this case, no evidence of data theft has been uncovered and there was no indication systems were accessed prior to the deployment of ransomware. The purpose of the attack is believed to have solely been an attempt to extort money from the practice.
Notifications have been sent to patients to alert them to the ransomware attack out of an abundance of caution, even though ePHI access is not suspected. The types of information encrypted in the attack included names, addresses, dates of birth, Social Security numbers, patient ID numbers, diagnoses, procedure information, times and dates of treatment, and prescription information.
As with all breaches involving more than 500 records, the Department of Health and Human Services’ Office for Civil Rights conducts an investigation. Provided organizations have implemented controls to reduce the risk of malware and ransomware attacks to the standard required by HIPAA, no further action is likely to be taken.
In this case, OCR was satisfied that Cove Family and Sports Medicine had implemented all appropriate controls and HIPAA Rules had not been violated. The investigation was closed with no further action required.
This ransomware attack clearly demonstrates how important it is for healthcare organizations to ensure back up devices are disconnected after backups have been performed. If backup devices are not air-gapped, backup files can be encrypted along with all other files on the infected computer and network.
If backups are encrypted, healthcare organizations will have little alternative but to pay the ransom. As the NotPetya (ExPetr) wiper attacks clearly showed, it may not be possible to recover data even if a ransom is paid.