In the wake of two recent global ransomware attacks, Airway Oxygen Inc., a privately held Michigan-based medical equipment provider reported that the mid-April ransomware attack had more than 500,000 patient records compromised. In what is believed to be one of the most severe ransomware attacks on healthcare information in 2017, over half-a-million patient records including vital data such as names, addresses, birth dates, telephone numbers, medical diagnosis and treatment information and health insurance policy numbers were exposed to the cybercriminals. In addition to patient data, personal information of more than 1,000 employees was compromised as well.
In the breach disclosure statement issued by Airway Oxygen Inc., it is noted that “vendors [and] contractors have potentially been affected by this criminal attack.” The company did not provide further details on the extent of the breach as to other organization, nor on the course of action taken to restore the data: “We have no comment with respect to the amount of the ransom demand or whether it was paid,” notice states.
It is evident that ransomware and other types o cyberattacks may have broader implications and despite the effort of the healthcare organizations, a data breach takes place almost on a daily basis. So far this year to this date, 162 security incidents were reported to the U.S. Department of HHS, Office of Civil Rights.
It would be a mistake to assume that cybercriminals only target large organization: small healthcare facilities are just as vulnerable: Princeton Pain Management and Diamond Institute for Fertility and Menopause, LLC, both located in New Jersey, were victims of recent hacking cyberattacks.
Ransomware incidents have spiked in the last several few months with WannaCry and Petya/Netpetya viruses that encrypted data on thousands of computers throughout the world.
Did your healthcare organization get hit by ransomware? Important HIPAA Breach Notification Rule notes
- Any type of hacking incident that did or did not involve the encryption of patients ePHI is considered to be a HIPAA breach
- All covered entities must report the incident within 60 days
- All covered entities must report incidents to US-CERT and notify patients if data has been compromised that has not been encrypted by the entity to NIST specifications.
- All covered entities should submit details of the incident to the FBI’s Internet Crime Complaint Center
- OCR must be notified of the incident separately.
- When reporting to other government or ISAO organizations, HIPAA Privacy Rule does not permit the sharing of PHI
Are you an SMB in New Jersey looking to ensure your HIPAA compliance or improve your network security and boost your IT operations?