6,550 Jemison Internal Medicine Patients Affected by Ransomware Attack

by | Mar 6, 2018

A ransomware attack on Jemison Internal Medicine of Alabama on December 20, 2017 lead to electronic health records being encrypted, disabling access to the patient data for the healthcare provider.

A ransom demand was sent for the keys to disable the encryption although no payment was given to the attacker. Luckily, Jemison Internal Medicine had viable backups of electronic PHI and restored data after reinstalling the operating system on affected devices. A review of its system post-data restoration showed no traces of the malicious software persisted.

While ransomware attacks are often not targeted and happen due to employees responding to phishing emails, this attack was more focused. The review into the security breach showed an unauthorized person had gained access to Jemison Internal Medicine’s computer system and had access for a period of around three months.

The investigation did not show any proof to indicate the EMR system was accessed by the hacker, although it was not possible to eliminate data access with a high degree of certainty. The types of data that could potentially have been seen or copied include names, telephone numbers, dates of birth, addresses, Social Security details, driver’s license numbers, prescription information, health insurance details, and treatment and procedure details.

The incident has lead to Jemison Internal Medicine to complete an audit of security, policies, and processes and steps have been taken to safeguard its systems and prevent further attacks. Remote connectivity to its computers has been switched off, all passwords have been amended, and other measures have been adapted to enhance security.

Patients impacted by the security breach have now been alerted by mail and the incident has been made known to to the Department of Health and Human Service’ Office for Civil Rights. The OCR breach summary states that the protected health information of 6,650 patients was potentially affected.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy