A total of 279,663 patients are being notified by Urology Austin that their protected health information (PHI) may have been compromised in a ransomware attack. Information that may have been compromised in the attack includes patient names, addresses, dates of birth, medical records and social security numbers. An article over on HIPAA Journal provides insight on the attack.
Due to rapid detection of the ransomware attack, which occurred on January 22, 2017, limited damage was caused.
Within minutes of the attack, the computer network was shut down to prevent the spread of the infection and potential access/exfiltration of PHI.”
Although the attack was quickly detected, the data being stored on the organization’s server was encrypted.
Ransomware often blindly encrypts data. The attacks are intended to cause major disruption to patient services to force an organization into paying a ransom demand to obtain a key to unlock the encryption. Data are not accessed or stolen by the attackers.”
Typically, in the case of a ransomware attack the misuse of a patient’s PHI is low. In this instance, Urology Austin chose to provide the patients who were notified of the breach with identity theft monitoring services to help them feel more comfortable and confident that their information is safe following the attack.
In order to prevent a similar occurrence in the future, Urology Austin has taken steps to mitigate their risks, including updating system backups and improving network security.
In the breach notice submitted to the California attorney general’s office, Urology Austin provided details on how the ransomware attack occurred and indicated that employees were retrained on how to spot suspicious emails as well as patient’s privacy and security practices. With this statement, we can gather that the ransomware attack likely occurred as a result of an employee error involving a malicious email, a favored method for cybercriminals to install ransomware.[divider_line] [framed_box bgColor=”#ffd390″]
Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. Our training not only focuses on HIPAA regulations, but concentrates on the risk of data breaches. We emphasize the dangers of phishing emails, phishing websites and ransomware. We teach employees how to spot phishing emails and how ransomware attacks a network so they can avoid being a victim.
Now it is easy to train your employees on protecting patient information!