The protected health information (PHI) of around 40,000 patients of the Jones Eye Clinic and its associate surgery center, CJ Elmwood Partners, L.P, located in Sioux City, IA was potentially compromised.
The breach is caused by a ransomware attack that impacted the stored data in an information system employed for booking appointments and invoicing patients. The ransomware attack did not affect the electronic medical records, which were stored in a different system not accessed by the hacker.
Jones Eye Clinic found out about the ransomware attack on August 23, 2018 but the installation of the ransomware actually occurred on the night of August 22, according to the investigation findings by a third-party forensic company.
The attacker demanded a ransom in exchange for the decryption keys; but the clinic did not pay the ransom. Instead, the files were recovered from backups and data was fully restored on August 23.
The ransomware attack investigators did not find any information that would positively indicate accessing or downloading of patient data. But Jones Eye Clinic still offered all affected patients with free one year credit monitoring services since data theft can’t be ruled out. Patients received breach notifications by mail and can enroll for the free credit monitoring services until January 19, 2019.
The data that that hackers potentially accessed included the patients’ full names, birth dates, addresses, general descriptions of surgical procedures, dates of service, clinic visits and medical record numbers. The insurance status, claims information and Social Security number of some patients may have been exposed as well. Jones Eye Clinic believe there’s no financial data accessed or compromised.
The patients potentially affected by the breach include those who registered or acquired medical services in the eye clinic and surgery center from January 1, 2003 to August 23, 2018.