Cleveland Medical Associates, PLLC, a four-physician primary care clinic in Cleveland, Tennessee, is providing notice to its patients that on April 21, 2017, it discovered that, the evening before, its computer network had been impacted by ransomware, a type of computer virus that locks up, or encrypts, information and demands that a payment be made in order to unlock, or decrypt, the information. There is no evidence that patient data was compromised as a result of this incident and the incident did not impact the clinic’s ability to provide care to patients.
Following the incident, in addition to implementing a new medical records system and analyzing security procedures, Cleveland Medical Associates engaged the services of a forensic investigation firm to determine the extent of the information potentially affected by the incident. Based on the investigation, there is no evidence that protected health information was taken from the affected system or misused as a result of this incident. The FBI has also been notified of the incident and Cleveland Medical Associates will fully cooperate in any subsequent investigation it may conduct into the matter.
Healthcare organizations and other companies across the country have been affected by similar types of ransomware cyber attacks and Cleveland Medical Associates believes that the motivation behind this incident was extortion. Because Cleveland Medical Associates was unable to determine with reasonable certainty whether or not there was an unauthorized access of medical information, it is providing its patients with notification of the incident. Information contained on the affected server included demographic information such as patient names, addresses, telephone numbers, email addresses, and Social Security numbers, clinical information such as medical records, and other information such as insurance billing information.
Cleveland Medical Associates takes protecting its patients’ information seriously and is offering a year of free credit monitoring to patients potentially affected by the incident. The clinic has also set up a dedicated number for patients to call with any questions or for more information. The number to call is 1-888-746-7073, Monday through Friday, 9 a.m. to 9 p.m., Eastern Time.
The Office of Inadequate Security
