A ransomware attack that targeted Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska has potentially exposedin the protected health information of almost 10,000 clients.
The ransomware attack took place on October 7, 2017 and saw a wide variety of files on some servers being encrypted by the ransomware. A ransom demand was made by the hackers, although this was not paid. The encrypted data was restored from a recently-conducted backup to permit services to carry on as normal for patients.
Third-party computer forensics contractors were brought in to assist with the investigation of the attack to try and see if the attackers gained access to, saw, or downloaded patient information and to investigate how access to the servers was gained and how the ransomware was uploaded.
The investigation did not uncover proof to show if any patient health information was taken, but data access could not be ruled out with a high degree of certainty. In line with HIPAA Regulations, the incident was reportable to the Department of Health and Human Services’ Office for Civil Rights. Also under HIPAA Rules and notifications to patients were necessary. Those notifications have now been broadcast.
According to Eye Physicians the violation involved information such as names, dates of birth, and ophthalmic imagery, and that no specific financial information or Social Security details were exposed.
Following the attack, a third party IT security consultant conducted a thorough security risk assessment to discover potential weaknesses, and hardware and software have been upgraded in light of the assessment. It is hoped that the enhancements to security will help to eliminate similar incidents from occurring going forward.
The incident affected 2,620 patients of Eye Physicians and 7,721 patients of the Columbus Surgery Center as was reported to OCR.