Plastic Surgery Associates of South Dakota Ransomware Attack Announced

A Plastic Surgery Associates of South Dakota ransomware attack has potentially resulted in criminals gaining access to the protected health information (PHI) of 10,200 of its patients.

Last year, OCR confirmed in its ransomware guidance that a ransomware attack is usually a reportable HIPAA breach and that breach notification letters should be sent to patients if their PHI was compromised in the attack. The HIPAA Breach Notification Rule requires patients to be notified of HIPAA data breaches within 60 days of the discovery that PHI has been compromised.

In this case, the ransomware attack occurred in February 12, 2017, yet notifications have only just been sent to patients. Plastic Surgery Associates of South Dakota said in its breach notice that rapid action was taken to mitigate risk and a computer forensics firm was hired to conduct an investigation and determine which data were encrypted and whether any patients’ information was compromised.

Plastic Surgery Associates of South Dakota reports that the majority of its patients were not affected by the attack, although the process of restoring data did result in some information being lost.

The reason for the delay in issuing breach notifications was the files that were lost contained evidence that would have confirmed that patients’ PHI was not accessed or encrypted. Without access to that information, it was not possible to confirm that a HIPAA data breach had not occurred. Consequently, the incident had to be reported to the Department of Health and Human Services’ Office for Civil Rights and breach letters sent to its patients.

Without access to the lost data, it was not possible to determine whether the PHI of 10,200 of its patients had been accessed. Those patients have now been informed that their name, Social Security number, driver’s license number, state ID number, credit/debit card details, lab test results, medical conditions, health insurance information, and date of birth could potentially have been accessed and copied.

As a precaution against identity theft and fraud, all affected patients have been offered credit monitoring and identity theft protection services through Equifax for 12 months without charge. The incident has also prompted Plastic Surgery Associates of South Dakota to conduct a review of its security protections, which will be enhanced to prevent similar incidents from occurring in the future.

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter