A Plastic Surgery Associates of South Dakota ransomware attack has potentially resulted in criminals gaining access to the protected health information (PHI) of 10,200 of its patients.
Last year, OCR confirmed in its ransomware guidance that a ransomware attack is usually a reportable HIPAA breach and that breach notification letters should be sent to patients if their PHI was compromised in the attack. The HIPAA Breach Notification Rule requires patients to be notified of HIPAA data breaches within 60 days of the discovery that PHI has been compromised.
In this case, the ransomware attack occurred in February 12, 2017, yet notifications have only just been sent to patients. Plastic Surgery Associates of South Dakota said in its breach notice that rapid action was taken to mitigate risk and a computer forensics firm was hired to conduct an investigation and determine which data were encrypted and whether any patients’ information was compromised.
Plastic Surgery Associates of South Dakota reports that the majority of its patients were not affected by the attack, although the process of restoring data did result in some information being lost.
The reason for the delay in issuing breach notifications was the files that were lost contained evidence that would have confirmed that patients’ PHI was not accessed or encrypted. Without access to that information, it was not possible to confirm that a HIPAA data breach had not occurred. Consequently, the incident had to be reported to the Department of Health and Human Services’ Office for Civil Rights and breach letters sent to its patients.
Without access to the lost data, it was not possible to determine whether the PHI of 10,200 of its patients had been accessed. Those patients have now been informed that their name, Social Security number, driver’s license number, state ID number, credit/debit card details, lab test results, medical conditions, health insurance information, and date of birth could potentially have been accessed and copied.
As a precaution against identity theft and fraud, all affected patients have been offered credit monitoring and identity theft protection services through Equifax for 12 months without charge. The incident has also prompted Plastic Surgery Associates of South Dakota to conduct a review of its security protections, which will be enhanced to prevent similar incidents from occurring in the future.