Michigan Health Provider Pays to Recover PHI Following Ransomware Attack

Over the weekend of August 12-13 an individual obtained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware software encrypting data including patients’ protected health information.

However, prior to the ransomware being placed on the fileserver it is unclear whether patients’ PHI was accessed or downloaded. The Ashland clinic found that its data had been encrypted when employees returned to work on the morning of Monday, August 14.

Speedy action was taken to stop the file server being accessed further, including turning off access and taking the server offline. An external contractor was hired to help address the attack and remove all traces of malware from its the IT infrastructure.

Namaste Health Care decided to pay the attacker’s ransom demand to recover the data. In this case, a valid key was provided by the attacker and it was possible to access the encrypted files. The clinic was able to restore data and bring everything back online. The incident prompted the clinic to complete a review of its security measures and make “robust upgrades” to its “firewall and remote access technology.”

The breach investigation did not uncover any proof to suggest PHI had been obtained by the hacker, and no evidence was found to suggest any PHI was stolen. Even so, it was also not possible to determine with a high degree of certainty that data access and theft did not happen.

The file server stored a wide variety of PHI including names, addresses, dates of birth, medical record numbers, health insurance details, Social Security numbers, and details that referred to appointments and visits to the clinic, including the reasons for those appointments/visits. The exposed data related to all patients who had visited the clinic, or arranged an appointment to visit, prior to August 14, 2017.

Due to the sensitive nature of information held on the fileserver, all clients have been offered identity theft protection services through AllClear ID. Warnings about the ID protection services have been issued on behalf of the clinic by AllClear ID.

While the substitute breach notice published on the Namaste Health Care website does not specifically point out that financial details was potentially compromised, the clinic stated, “we recommend that you notify your banking institutions and request a change of any account numbers, if you provided us with such information.”

The ransomware incident has not appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal as of yet, so it is unclear exactly the number patients have been affected.