HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Reinvestigation of 2019 Metro Presort Ransomware Attack Reveals PHI May Have Been Compromised

The Portland, OR-based technology and communication solution provider Metro Presort suffered a ransomware attack on May 6, 2019 which resulted in the encryption of files and locked staff out of its systems. The ransomware attack was promptly identified and was contained by May 15, 2019 and the company was able to recover from the attack relatively quickly. An investigation into the attack found no evidence to suggest files were removed from its system, and since the company already encrypted customer data, the attackers would not have been able to access any sensitive information.

In October 2020, Metro Presort reinvestigated the attack and the secondary investigation was unable to confirm that files containing customer data were definitely encrypted before the attack. The invoices, statements, and spreadsheets that Metro presort processed for clients, including healthcare organizations, could potentially have been accessed. An analysis of those files confirmed they contained patient names, addresses, dates of birth, patient and health plan IDs or account numbers, appointment dates, treatment dates, and diagnoses and treatment codes, according to a substitute breach notice published on the Metro Presort website on November 24, 2020.

The incident has recently appeared on the HHS’ Office for Civil Rights website stating the PHI of up to 38,387 individuals may have been compromised. Metro Presort explained in its breach notice that the Department of Health and Human Services’ Office for Civil Rights investigated the breach, Metro Presort’s response, and its policies and procedures, and closed the case on December 31, 2020 after confirming no HIPAA violations had occurred.

“Both before and since this incident, MPI and has devoted considerable resources to maintaining and enhancing its data security, including implementation of the latest technical safeguards to prevent similar incidents, additional protections (encryption) of customer files, and security audits,” explained Metro Presort in its breach notice.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.