Peachtree Neurological Clinic has uncovered a 15-month security incident during the investigation of a ransomware attack. The Atlanta, GA clinic says the incident has resulted in the exposure of 176,295 patients’ protected health information.
Initially, sensitive data were encrypted when ransomware was installed on its systems. While the attack caused some disruption and its systems were temporarily taken out of action, the clinic was able to restore all encrypted data from backup files without paying a ransom.
A forensic investigation of the attack confirmed that all traces of the ransomware had been removed, although the investigation revealed its computer systems had been accessed by unauthorized individuals prior to the installation of ransomware. The earliest recorded intrusion was February 2016. Access to its systems was possible until May 2017 when the breach was discovered.
While access to data was possible, the investigation did not uncover any evidence to suggest protected health information had been stolen, although the possibility could not be discounted. Peachtree Neurological Clinic reports it was only possible to determine that unauthorized individuals had gained access to its systems not whether data theft occurred.
The compromised systems contained a wide range of sensitive data including names, addresses, contact telephone numbers, birth dates, driver’s license numbers, prescription details, treatment data, procedures performed, health insurance details and Social Security numbers.
Peachtree Neurological Clinic has notified all affected individuals by mail and those patients have been offered identity theft protection services. They have also been advised to monitor their accounts and Explanation of Benefits statements for any sign of fraudulent activity. The clinic is working with law enforcement, which is investigating the incident.
This incident highlights the importance of conducting a forensic investigation following a ransomware attack. While malicious actors may succeed in installing ransomware without compromising the network, that is not always the case. Ransomware is often used to extort money from healthcare organizations after an intrusion when no further use for system access is required, such as after all valuable information and data have been stolen.