Following the installation of ransomware and malware on a server belonging to Mind & Motion Developmental Centers of Georgia, it has been revealed that the group responsible which may have been able to access to 16,000 patients protected health information.
The ransomware was installed and implemented on a server housing Mind & Motion medical records. The range of data that was possibly compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance data and Social Security details. Medical records may also have been compromised due to the attack.
Mind & Motion noticed the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was hired to review the breach, deduce how the attack occurred and help rescue data that had been made inaccessible by the ransomware.
Along with the ransomware infection, TeamLogic IT discovered an disabled keylogger and a spam emailer on the server. All malware was completely erased and associated accounts were deleted. TeamLogic IT did not find any proof to suggest any of the installed malware had been used to view patient financial information or its scheduling and electronic billing databases.
Since the attack was found, Mind & Motion has not been contacted with reports from patients to suggest that any of their PHI has been stolen and improperly used. The attack is thought to have been carried out with the aim of extorting money from Mind & Motion. Thus, it is felt that patients are not like to suffer any negative effects from the attack.
Following guidance from a third party IT vendor, Mind & Motion has reset all passwords and put in place controls to ensure complex passwords are established on all accounts going forward. A policy has also been brought in to force users to change passwords more often. Computers and servers have professional anti-malware solutions included and will be constantly scanned. Mind & Motion has also applied encryption on all its computers and the latest anti-spam technology has been enabled to safeguard against phishing attacks.
Soon after the breach was found, Mind and Motion contracted a compliance consulting firm to make sure that all obligations of HIPAA were met. The consulting firm will be providing additional HIPAA compliance training to all staff within 30 days.
A breach report was filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) on November 30, 2018 and all impacted patients have been alerted regarding the breach by mail. The OCR breach report states that almost 16,000 patient records were possibly impacted.