HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sagewood Retirement Community Attacked with Ransomware

Sagewood, a retirement community in Phoenix, AZ, has notified 800 current and former residents about a ransomware attack that has potentially resulted in some of their electronic protected health information (ePHI) being accessed by the attackers.

Sagewood enlisted the services of a computer forensics firm to investigate the attack. According to the substitute breach notice on the Sagewood website, the attack was short-lived. It was possible to isolate and contain the infection within an hour of it being discovered.

Since it is possible that access to ePHI was gained, the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights in accordance with HIPAA Rules. Patients have also been notified of the incident by mail if they have been affected.

Ransomware locks files with powerful encryption which prevents the victims from gaining access to their data. After files are locked, the victims are presented with a ransom demand. Payment must be made in order to receive the key to unlock the encryption.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Ransomware could also potentially give the attackers access to sensitive data, although typically the attacks are performed only to obtain ransom payments. However, in this case, files were locked but no ransom demand was received.

It is unclear whether the ransomware variant used in the attack failed, or if the attackers had other reasons for locking data.

It is possible that data access was gained and patients’ names, phone numbers, addresses, dates of birth, Medicare numbers, Social Security numbers, and other national ID numbers could potentially have been viewed.

Based on the short time period when data could have been accessed – and the lack of a ransom demand – “Sagewood does not believe that the attack was performed in order to gain access to a “hacker” was looking to compromise or misuse identities or personal information.”

Current and former residents impacted by the incident have been informed to be vigilant nonetheless and monitor payment card statements for any sign of fraudulent activity and to consider placing a fraud alert on their credit cards.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 863 individuals were potentially impacted by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.