May Eye Care Center, PA, has announced that the protected healthcare information of up to 30,000 patients was affected in a recent ransomware attack.
May Eye Care Center, a healthcare facility in Hanover, PA which specialises in laser eye surgery experienced a ransomware attack in July 2018. Ransomware is software which denies the user access to their device, or certain files on the device, until a ransom has been paid to the scammer. A range of patient information was encrypted, including data in their electronic medical record system.
The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers.
Shortly after the discovery of the attack, May Eye Care Center called in a leading computer forensics company to investigate the breach. An IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols.
The attacker delivered a ransom demand to the facility. However, May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data. No ransom was paid to the attacker.
In accordance with HIPAA’s Breach Notification Rule, patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 11. The breach summary on the OCR Breach Portal indicates 30,000 patients were impacted by the incident.
May Eye Care Center believes the sole purpose of the attack was to obtain a ransom payment. The computer forensics team did not find evidence evidence to suggest any patients’ protected health information was accessed by the attackers and no reports of misuse of PHI have been received. However, since data theft cannot be ruled out, all patients have been advised to check their credit reports, accounts, and explanation of benefits statements for any sign of fraudulent activity.
May Eye Care has taken measures to improve the robustness of their security systems should another cyberattack occur in the future.
Ransomware is often delivered via phishing attacks. Healthcare organisations prove an attractive target for hackers, due to the sensitive nature of the information and potential disruption. Various reports on cybersecurity have been released in recent months showing that ransomware attacks are on the rise. The malware may be easily obtained from the dark web, and therefore provides a very easy way for hackers to attack hospitals. Although not all attempts are successful-as in the case above-the small percentage that are may provide a large payout, depending on the size of the organisation.
Many hospitals and healthcare organisations do not have sufficiently strong technical safeguards on their data, making them susceptible to attacks of this nature. Furthermore, the enormous cost of implementing a robust security plan is prohibitive for smaller organisations. However, having inadequate safeguards is a violation of HIPAA regulations. A lack of resources is not deemed an acceptable excuse, and organisations found in violation of HIPAA often have to pay hefty fines. The short-term costs of implementing a strong IT framework insignificant in comparison to the potential damage done by a huge security breach, in terms of both financial and reputation damage.