Add Desert Care Family & Sports Medicine in Casa Grande, Arizona to the list of health facilities who suffered a ransomware attack. But what happened to them has resulted in my updating my worst breaches of 2016 list.
On December 20, the center notified HHS that 500 patients were being notified that their server had been infected in August 2016. Of note, not only were the data on the server encrypted – including patient records – but Desert Care took the server to several IT specialists who were all reportedly unable to break the encryption.
“As a result,” their patient notification letter explains, “the server remains locked and encrypted by the ransom ware, and patient records are unavailable.”
They do not explain whether they paid the ransom, and if they didn’t, why they hadn’t once they determined that they could no longer access patient records. And for the center to write that three months after a ransomware attack, “patient records are unavailable” raises several additional questions, including whether there had been any backup, and if so, what happened to it (and if there was no backup, why not)?
Information on the server included patient’s “full name date of birth, home address, account number, diagnosis, types of treatment information, disability codes, etc.”
To add to their regulatory woes, not only was the center unable to recover access to their patient records, but they were also unable to determine if patient records were exposed or acquired.
“We have not received any indication that the information on the server has been accessed or used by an unauthorized individual, but Desert Care cannot be sure of this, so it is providing you with this notice out of an abundance of caution,” they write.