A specialty practice in Texas has notified more than 200,000 patients of a ransomware attack that might have exposed their personal information.
On 24 March, Urology Austin sent out notification letters to 279,663 patients informing them of an incident that occurred back in January. As quoted by DataBreaches.net:
“On January 22, 2017, Urology Austin was the victim of a ransomware attack that encrypted the data stored on our servers. Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation. We also began to take steps to restore the impacted data and our operations.”
Investigators have determined the attack may have compromised affected patients’ personal information including their names, addresses, dates of birth, Social Security Numbers, and medical information. It’s not clear if the bad actors took or misused the data. But as the attack affected more than 500 patients, the specialty practice complied with Texas law in disclosing the incident to its base of patients.
The ransomware infection appears to have affected everyone from current patients to individuals who haven’t used Urology Austin’s services in some time. For example, Gregg Philipson says he almost threw out the notice because he hasn’t been a patient at the specialty practice for 20 years. He’s now spending time on the phone in an effort to protect his identity.
As he told KXAN-TV:
“No one wants to be worried about identity theft. It’s a bit surprising, in the sense, with all the intrusion software that’s available today that this would be happening at this level. I think companies, small businesses and doctor’s organizations have to be more vigilant about protecting our data as citizens. And not providing us with unnecessary stress in addition to going to a doctor.”
Officials at Urology Austin are currently investigating the incident and working to improve the network’s security safeguards. Healthcare IT News reports employees have received phishing training. This could suggest the attack originated from a phishing attack.
Urology Austin, which restored all affected data from a backup, has also set up a hotline for patients and is offering two years of free credit monitoring for all individuals affected by the incident.
To protect against incidents such as this attack as well as the ransomware infection that struck a Texas police department in January, organizations need to create a data backup strategy that involves regular tests of their backups. They should also train their employees to be on the lookout for suspicious emails and attachments.
Healthcare organizations should take the extra step to make sure all data is properly secured. In the event they have data from patients who are no longer receiving care, they should either de-identify the information or destroy it irreversibly.