Gastroenterology Consultants in Texas has started notifying patients about a cyberattack that took place on January 10, 2021 in which their protected health information was potentially compromised. Hackers infiltrated its network and deployed ransomware, which encrypted files rendering them inaccessible. The attackers may also have viewed or obtained files containing patient data prior to encrypting files.
Gastroenterology Consultants, the largest partnership GI practice in Houston, immediately took steps to block the attack and eject the hackers from its network. An investigation was launched into the breach and the encrypted data were restored.
A substitute breach notice published on the group’s web portal on March 19, 2021 said no evidence was found that suggested any patient data was exfiltrated by the cybercriminals prior to the use of ransomware, although data access and theft could not be ruled out.
As is typically the case with attacks like this, breach notification letters are sent out to anyone potentially impacted by the attack, even though no proof of data theft was found. Since it was not possible to determine which, if any patients were affected, Gastroenterology Consultants opted to notify all patients whose PHI was stored on the affected systems.
A breach notification was sent to the Maine Attorney General which states that some 162,163 breach notifications have been issued. Gastroenterology Consultants said in the notice that, “after undertaking an extensive data mining process to determine specifically whether any patient or employee had any sensitive Personal Information or Personal Health Information exposed, we, unfortunately, learned that the time and effort to manually review thousands of documents was not cost-effective”.
It continues: “Therefore, although there is no evidence of any unauthorized use of patient or employee data, we have determined it best to issue mail notifications to all employees and patients detailing the specific type of information potentially exposed.”
The breach investigation also found that the data believed to have been impacted included files created by staff members to allow for patient processing. Those files included a range of different types of PHI; however, fewer than 50 Social Security numbers were exposed.
Gastroenterology Consultants is offering complimentary credit monitoring services to individuals whose Social Security number was exposed, as well as employees whose sensitive data may have been viewed.