On or about February 21, Surgery Center of Mid Florida (“SCOMF”) experienced a ransomware attack. No group has publicly claimed responsibility for the attack, but it originated with an attack on their now-former IT vendor. The attack on the unnamed vendor gave the attackers access to SCOMF.
In August, SCOMF notified regulators, explaining, in part:
Although there is no evidence that any specific patient information was accessed or exfiltrated as a result of this incident, SCOMF is notifying all patients in an abundance of caution due to the encryption of its system. Personal information contained on SCOMF’s network varies from individual to individual, but may have included patient demographic information, such as names, address, dates of birth; health information, such as medical history, diagnoses, treatments, dates of service; health insurance information, such as account numbers, insurance policy numbers, billing and claims information; and financial account information, including Social Security numbers.
In response to the incident, SCOMF transferred their business to a different IT vendor and implemented additional safeguards, including replacing and enhancing all firewalls and transitioning all data to a secure, cloud-based electronic health record system and practice management software. SCOMF has also offered those potentially affected 24 months of identity theft protection services.
According to their notification to HHS, 48,684 patients were affected by this incident.
SCOMF’s notification provides the kinds of details patients need to evaluate their risk and make decisions, but it does not address some questions about the incident that we have emailed to SCOMF:
- Did SCOMF have a usable backup system for the encrypted system?
- Did they pay for a decryption key?
- Who was the IT vendor?
- What threat actor or group was responsible?
- Was patient care ever disrupted or affected at all?
No reply was immediately available. This post will be updated if a reply is received.