ABCD Pediatrics, a Texas based pediatric practice has recently reported a major data breach, which came as the result of a ransomware attack occurring in early February. An article on Gov Info Security explores the attack, looking closely at what made it a reportable incident.
According to the practice, an employee discovered a virus had gained access to their system, starting the encryption process on their server. Due to the anti-malware software ABCD was running they were able to significantly slow down the encryption process. ABCD acted quickly by contacting their IT service provider who was able to move their server and computers offline. At no point in time did the practice receive a ransom demand or any other form of communication from the attackers.
The IT service provider for ABCD was able to remove the virus along with the corrupt data from their server. Fortunately for the practice, their secure backup data was stored separately and was not compromised during the attack, allowing them to use the backup to restore the data from the infected systems.
While no confidential data, including protected health information, were lost or destroyed in the incident, exfiltration or unauthorized viewing of data could not be ruled out.”
The practice stated that in the analysis of their servers and computers there were suspicious accounts discovered, which may indicate hackers did gain access to portions of their network.
The malware used in the attack was determined to be a ransomware named Dharma, a variant of an older version named CriSiS. Even though these malware strains are not typically known to exfiltrate data from the server, it could not be ruled out in this case.
Potentially compromised data include patients’ names, addresses, telephone number, date of birth, other demographic information, Social Security numbers, insurance billing information, current procedural technology codes, medical records and laboratory reports.”
This breach was reported to both the FBI and the Department of Health and Human Services, with HHS’ Office for Civil Rights’ recording the breach as a hacking incident that affected 55,447 people.
When to Report a Breach
Determining when a breach is reportable can be a difficult task. OCR issued guidance last July to assist both covered entities and business associates in determining if a ransomware attack should be reported as a breach under HIPAA regulations. OCR determined that in most cases ransomware is considered a reportable breach.
Under HIPAA , a breach is defined as the acquisition, access, use or disclosure of personal health information in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.”
The Time to Act is Now
Protecting your company from falling victim to ransomware is crucial.
Ransomware is still an ongoing and active problem in the healthcare industry – and obviously beyond. It’s a style of attack, which can have different root causes and different purposes. Sometimes, perpetrators are like the old Nigerian email scams – they try for lots of people just to see if something works, and may not even focus on what worked.”
– Kirk Nahra, Privacy Attorney at Wiley Rein law firm
Educating your staff on the importance of cybersecurity is 100% necessary. Training staff on how to spot anything suspicious is key in protecting your company. Teaching staff the value of reporting these incidents and monitoring your systems routinely will help protect your business. In addition, it is important to get familiar with breach notification issues. Using the guidance provided by OCR can be very beneficial in determining a reportable breach.
Train your employees to spot ransomware!
All Covered Entities and Business Associates need to train their employees on HIPAA security. Our training not only focuses on HIPAA regulations, but concentrates on the risk of data breaches. We emphasize the dangers of phishing emails, phishing websites and ransomware. We teach employees how to spot phishing emails and how ransomware attacks a network so they can avoid being a victim.
Now it is easy to train your employees on protecting patient information!Get more information on free HIPAA security training! >>>