Ransomware Attack Affects More than 600 Healthcare Organizations

A ransomware attack on a finance company has affected more than 600 healthcare organizations. The company is an accounts receivable management company that provides assistance to various organizations including healthcare providers. 

On February 26, 2022, the company detected and stopped a sophisticated ransomware attack in which an unauthorized third party accessed and disabled some of their computer systems. The company immediately engaged third party forensic specialists to assist them with securing the network environment and investigating the extent of any unauthorized activity. 

The patient information that could have been accessed by an unauthorized third party includes first and last names, addresses, accounts receivable balances, and information regarding payments made to accounts. In some cases, dates of birth, Social Security numbers, health insurance information, and medical treatment information were also compromised. The company found no evidence that personal information had been specifically misused.  

The company is mailing letters to potentially involved individuals with details about the incident and providing resources they can use to help protect their information. They are also offering potentially involved individuals access to free credit monitoring and identity theft protection services. 

Issue: 

The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements. 

Discussion Points: 

  • Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available. 
  • Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file. 
  • Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed.