Columbus Surgery Center, LLC and Eye Physicians, P.C in Columbus, Nebraska were attacked by ransomware resulting in the potential protected health information exposure of about 10,000 patients. The ransomware attacked on October 7, 2017 and encrypted a range of files on some servers. The attackers demanded a ransom but no ransom was paid. The healthcare providers had a backup of the encrypted files and were able to restore them without disrupting the services to patients.
The two providers called upon the assistance of third-party computer forensics experts to investigate the incident. They were tasked to know how the attackers gained access to the servers, how the ransomware was installed and what patient information the attackers viewed or copied. According to the investigation report, there was no evidence that patient health information was stolen. But it’s not 100% certain that data was not accessed. Hence, Columbus Surgery Center and Eye Physicians reported the potential health data breach to the Department of Health and Human Services’ Office for Civil Rights to follow the HIPAA Rules. The 2,620 patients of Eye Physicians and 7,721 patients of Columbus Surgery Center impacted by the data breach were also notified by mail.
The breach report of Eye Physicians stated that the following were exposed: names, birth dates, and ophthalmic imagery. No Social Security numbers or financial information was exposed. To prevent a similar attack from happening in the future, an external IT security consultant conducted a comprehensive security risk assessment. Potential vulnerabilities were identified. Both software and hardware were upgraded to improve system security.