Central Colorado Dermatology (CCD) has made contact with over 4,000 clients that some of their protected health information (PHI) has possibly been obtained by cyber criminals during a ransomware attack on its IT systems.
An unauthorized person obtained access to CCD’s computer network and installed ransomware on a server. Medical histories and patients’ medical charts were not viewed, although certain files and scanned fax correspondence were encrypted. Some of those files included PHI.
An investigation was initiated to determine if protected health information was obtained it was not possible to determine with a high degree of certainty whether any PHI was stolen. CCD did not find any proof to suggest that PHI had been accessed or stolen, although some of the software that had been placed on its network could have enable files to be downloaded.
The range of files that could have been obtained including the following details: Names, addresses, contact telephone information, birth dates, emails, Insurance data, Social Security numbers, insurance payment codes and expenses, dates of service, clinical information, medical conditions, diagnoses, treatment information, laboratory test results, diagnostic studies, duplicates of CCD reports and notes and information sent to CCD from other healthcare suppliers by fax.
The investigation discovered that remote access was obtained to a single server on June 5, 2018 and ransomware was installed the same day.
Upon identifying of the attack, steps were taken to safeguard the network and block remote access and a cybersecurity firm was retained to look into the attack. After systems were secured and the malicious software was deleted, the cybersecurity firm continued to review the network for several weeks to ensure that no further efforts were made to access the system. During that time period, no further intrusions were discovered and no suspicious network activity was noticed.
In reaction to the cyber attack, CCD has amended its password requirements and how its network can be logged onto, new anti-virus software has been enable, and further upgrades to system security have been implemented. That process is ongoing, guided by IT security specialists. Amendments have also been made to its fax software to see that that digital copies of faxes are not automatically saved on its network.
As unauthorized PHI access and theft of files could not be eliminated, notification letters were issued to all 4,065 patients whose PHI could possible have been accessed. All patients impacted by the breach have been provided with one year of credit monitoring services.