Laser & Dermatologic Surgery Center in Missouri notified HHS last month about an incident affecting 31,000 patients, but the submission was not added to the breach tool until this month, and no details had been readily available online until now. I recently spoke with their practice manager, who provided me with a copy of their notice and some additional information.
Let’s start with their notice:
(June 12, 2016) – Laser & Dermatologic Surgery Center
(“LaserDerm”) today confirmed it fell victim to unauthorized access of its computer systems that may have led to the disclosure of certain patient information. With the assistance of IT professionals, the issue has been identified and resolved.
The data security incident was discovered on Monday, March 21, 2016. This incident involved the identification of an unauthorized user that, according to computer logs, had accessed the computer system several times beginning as early as March 1, 2016. During this unauthorized access, it is possible that patient names, addresses, dates of birth, and social security numbers may potentially have been exposed. Although there is no evidence at this time that electronic medical records were accessed, this possibility cannot be ruled out; therefore, we have notified all patients potentially affected by this incident, as well as, the appropriate government agencies. We have taken every step necessary to address the incident, and are committed to fully protecting all of the information our patients have entrusted to us.
Following discovery of the breach on March 21, 2016, the computer system was immediately disconnected and IT professionals were engaged to secure the system. Forensic analysis is ongoing in an attempt to identify the origin of the unauthorized access. Actions are also being defined and implemented at the clinic to prevent this type of breach from occurring again.
Although we are unaware of any misuse of any patient’s personal information, we are encouraging patients to remain vigilant by reviewing account statements and monitoring free credit reports.
For questions or additional information regarding this incident, please call 636-449-4550, leave a message and someone will return your call.
Of note, the breach was discovered after the practice had been sold to others. It was the new owners’ IT personnel who discovered the breach. According to a spokesperson, they also discovered that malware had been injected into the system, but it was not clear whether it was part of the same incident or not. The previous owners had received a ransom notice with the ransomware, but they did not pay it, and were able to restore their system fully.