Michigan Health Provider Pays to Recover PHI Following Ransomware Attack

by | Oct 28, 2017

Over the weekend of August 12-13 an individual obtained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware software encrypting data including patients’ protected health information.

However, prior to the ransomware being placed on the fileserver it is unclear whether patients’ PHI was accessed or downloaded. The Ashland clinic found that its data had been encrypted when employees returned to work on the morning of Monday, August 14.

Speedy action was taken to stop the file server being accessed further, including turning off access and taking the server offline. An external contractor was hired to help address the attack and remove all traces of malware from its the IT infrastructure.

Namaste Health Care decided to pay the attacker’s ransom demand to recover the data. In this case, a valid key was provided by the attacker and it was possible to access the encrypted files. The clinic was able to restore data and bring everything back online. The incident prompted the clinic to complete a review of its security measures and make “robust upgrades” to its “firewall and remote access technology.”

The breach investigation did not uncover any proof to suggest PHI had been obtained by the hacker, and no evidence was found to suggest any PHI was stolen. Even so, it was also not possible to determine with a high degree of certainty that data access and theft did not happen.

The file server stored a wide variety of PHI including names, addresses, dates of birth, medical record numbers, health insurance details, Social Security numbers, and details that referred to appointments and visits to the clinic, including the reasons for those appointments/visits. The exposed data related to all patients who had visited the clinic, or arranged an appointment to visit, prior to August 14, 2017.

Due to the sensitive nature of information held on the fileserver, all clients have been offered identity theft protection services through AllClear ID. Warnings about the ID protection services have been issued on behalf of the clinic by AllClear ID.

While the substitute breach notice published on the Namaste Health Care website does not specifically point out that financial details was potentially compromised, the clinic stated, “we recommend that you notify your banking institutions and request a change of any account numbers, if you provided us with such information.”

The ransomware incident has not appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal as of yet, so it is unclear exactly the number patients have been affected.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy