Add Delaware-based Brandywine Pediatrics, P.A. to our growing list of healthcare entities hit by ransomware.
The practice notified patients on December 23 that on October 25, they had discovered that their file server was inaccessible due to a computer virus. They did not indicate what type of ransomware was involved.
Brandywine reports that were able to immediately restore their files from backup tapes, but a forensic computer expert hired to assist with their investigation subsequently determined that patient files containing name, address, and medical information, may have been accessed by an unauthorized person. The files did not include any Social Security numbers or payment card information.
There was no evidence, they report, that any information was exfiltrated or taken.
In addition to notifying patients, Brandywine is working to improve the security of their systems with the assistance of an IT consultant. They are also reviewing their policies and procedures.
The number of patients notified was not disclosed in their notification letter or their report to the New Hampshire Attorney General’s Office, and it has not (yet) appeared on HHS’s public breach tool. This post will be updated if and when numbers are disclosed.
Parenthetically, I note that I thought it was a very classy move that Brandywine’s notification letter to patients was signed by each and every doctor in the practice. That is not something I’m used to seeing, and I think it conveys a great message of personal regret and commitment. I wish more entities thought about doing what this group has done.