The protected health information (PHI) of 925 patients of Coastal Cape Fear Eye Associates has been compromised in a ransomware attack.
North Carolina’s Coastal Cape Fear Eye Associates, P.A., found that its systems had been breached on December 5 2017. Upon noticing the ransomware attack, Coastal Cape Fear Eye Associates hired external IT professionals to contain the attack and delete the ransomware. The IT experts were able to limit the harm caused and the malware was deleted, although some files remained locked and inaccessible for a period of time.
According to a substitute breach notice published on the healthcare provider’s website on February 1, 2018, the delay in issuing alerts to affected patients was because it was not possible to access certain files to figure out what information was involved and which patients were hit. Coastal Cape Fear Eye Associates has only recently been able to access all encrypted files that were compromised.
Under HIPAA Regulations, healthcare groups are required to report ransomware attacks unless the attacked body finss there was a low probability of PHI being accessed. Ransomware typically blindly encrypts files and file access is not usually involved, even so, the Department of Health and Human Services’ Office for Civil Rights (OCR) has published guidance on ransomware attacks that indicate – in the majority of cases – ransomware attacks should be reported and patients alerted.
In this instance, the investigation into the attack showed that data access was likely to have happened, although no proof was uncovered to indicate any information had been stolen by the attacker.
The files included a wide variety of highly sensitive information including names, dates of birth, addresses, phone numbers, email address details, Social Security numbers, insurance card data, driver’s license numbers, emergency contact details, ethnicities, medications, medical records, diagnosis records, physician notes, billing and payment transaction, legal documents, and scanned copies of driver’s licenses, insurance cards and Medicare cards.
Coastal Cape Fear Eye Associates and its IT consultants are still investigating the attack and will be adapting additional security processes to avoid future security breaches like this.