HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible

Casa Grande, AZ-based Desert Care Family and Sports Medicine has alerted 500 patients to a potential breach of their protected health information (PHI) as a result of a ransomware infection.

The ransomware was installed on a server used to store PHI in August this year; however, despite attempts to unlock the encryption, patient data have still not been decrypted and have remained inaccessible for more than three months. The information stored on the server includes patients’ names, addresses, birthdates, account numbers, diagnoses, treatment information, and disability codes.

The healthcare provider took the affected server to a number of IT specialists in an attempt to unlock the encryption but to no avail. Free decryptors are available for certain ransomware variants via the No More Ransom Project; however, many of the most commonly used ransomware variants have yet to be cracked.

The only options for recovering locked data are to pay the ransom demand or to restore the encrypted files from backups. Unfortunately, there is no guarantee that payment of a ransom will result in the provision of a viable key to unlock the encrypted files.  It is unclear whether Desert Care Family and Sports Medicine refused to pay the ransom or whether the ransom was paid and the attackers failed to supply a working key to decrypt the data.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Under HIPAA Rules, Department of Health and Human Services’ Office for Civil Rights (OCR) must be notified of a ransomware infection that results in ePHI being encrypted if the covered entity believes there is a risk that ePHI was accessed or copied by the attackers.

In most cases, ransomware infections do not result in the exfiltration of data. In this case, no evidence of data access or theft have been uncovered, although the possibility that PHI was viewed or copied could not be ruled out.

The incident was reported to both local law enforcement and the FBI and a breach report has now been submitted to OCR. It is unclear why it took until December 20, 2016 for the notice to be provided to OCR and for patients to be informed of the potential breach. Covered entities are required to issue a breach notice within 60 days of the discovery of a potential data breach.

The incident clearly highlights the severity of the ransomware threat and how important it is for healthcare organizations to implement a range of controls to prevent infection and ensure data can be recovered.

It is essential for backups to be made of ePHI and for those backups to be tested to ensure data can be recovered. Since ransomware can also encrypt backup files, covered entities should store backup files on air-gapped devices or in the cloud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.