Potential Compromise of PHI As a Result of North Florida OB-GYN Cybersecurity Breach

North Florida OB-GYN in Jacksonville, FL learned that hackers got access to particular portions of its computer system that contain personal and medical data of patients and attacked the system with a virus that encrypted the data.

Once the breach was uncovered on July 27, 2019, the provider deactivated the networked computer systems and started breach response and recovery operations. Third-party IT specialists aided in looking into the breach. They validated if there was really unauthorized access of portions of its network-linked computer systems and a deployment of virus that resulted in data file encryption. The investigation showed that its computer systems were most possibly been breached on or prior to April 29, 2019.

Although system access was established, there was no proof that personal or health data was accessed without authorization or stolen; nevertheless, unauthorized records access and exfiltration couldn’t be eliminated.

Protected health information (PHI) probably breached in the attack was not the same from one patient to another patient and might have included the patients’ names, demographic data, dates of birth, ID card number, driver’s license number, Social Security number, medical insurance details, employment details, diagnoses, treatment details, and health-related pictures.

North Florida OB-GYN instructed the people impacted by the breach to be alert and monitor their account statements to see whether there was suspicious use of their information. It doesn’t seem that the impacted persons were given credit monitoring and identity theft protection services.

The provider was able to get back essentially all data files that the hacker encrypted. It is not sure if the attacker gave a ransom demand, which the provider paid, or if the data files were restored using backups. North Florida OB-GYN already did what is required to improve security and avert the same breaches from happening again.

The breach report was already sent to the HHS’ Office for Civil Rights and relevant state authorities. The incident is not yet published on the OCR breach website, and so the number of patients impacted by the breach is not yet certain.