In the process of investigating a ransomware incident, Peachtree Neurological Clinic discovered an earlier hack going back to February 2016. They posted the following notice on their web site:
Peachtree Neurological Clinic, P.C. (“PNC”) of Atlanta, Georgia has advised its patients of a privacy event that may have compromised certain personal information. The events are believed to be the result of criminal activity.
PNC’s computer system was recently infected by a ransomware virus that encrypted its electronic medical records (“EMR”) system containing its patients’ medical records. The ransomware demanded monetary payment from PNC in order to decrypt the files and allow them to regain access. PNC did not pay the ransom to the cyber criminals, but was instead able to restore its files and the functionality of its system through backup records. Subsequent scans of PNC’s computer system have shown no additional indications of the ransomware, and its investigation does not show any indication that the ransomware exfiltrated any data off its system. This incident also did not impair PNC’s ability to provide care to its patients.
Through its investigation of this incident, however, PNC discovered that its computer system previously had been accessed without its knowledge by unauthorized individuals not affiliated with PNC between February 2016 and May 2017. PNC is not able to confirm which, if any, files or patient information were accessed by these unauthorized individuals, but it is possible that they could have accessed PNC’s EMR system containing patient names, addresses, telephone numbers, social security numbers, dates of birth, driver’s license numbers, treatment or procedure information, prescription information, and/or healthcare insurance information.
Although the motive of these unauthorized individuals is unclear, and PNC cannot confirm whether they actually accessed or acquired any patient information, PNC has confirmed that they did at least gain access to its system. Therefore, out of an abundance of caution, PNC has notified all potentially affected individuals about this issue and offered them free identify theft protection services. It also has reported the incident to law enforcement and will cooperate with any investigation.
“We take patient privacy seriously, and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected,” said Dr. Lawrence Seiden, M.D., managing partner of PNC.
Those who believe they may have been affected by this incident may call PNC’s dedicated, toll-free incident response hotline at (866) 690-0768 for more information.
PNC is a medical care provider located in Atlanta, Georgia that treats a variety of neurological conditions and specializes in the treatment of migraines, dizziness, Parkinson’s disease, and multiple sclerosis.
I do not think I’d relish sending patients a notification of two security incidents like that. The number of patients impacted by each incident was not revealed in their statement, and the incident isn’t up on HHS’s breach tool yet, although it would seem likely that it will be. Actually, we should probably see TWO incident reports on the breach tool as these were separate incidents.