From their public notice of August 30, below, it appears that the attack was disovered on June 30. The incident was reported to HHS as impacting 40,800 patients. While the notification below meets all the regulatory requirements, I wish entities would routinely just disclose how malware was injected and what kind of malware it was. But good for FDIP for having a backup that was available and usable to restore data.
———
Fetal Diagnostic Institute of the Pacific (“FDIP”) is providing the following public notice of breach of unsecured protected health information (“PHI”) to satisfy its obligations pursuant to 45 CFR § 164.406.
What Happened: On June 30, 2018, FDIP became aware that it was the victim of a ransomware attack. Specifically, a malicious software accessed data stored on FDIP’s servers, including patient records, and encrypted it. FDIP engaged a leading cybersecurity firm and was able to successfully remove the malware and restore the data using backup files maintained for such a contingency. FDIP takes seriously our responsibility to protect the confidentiality of patients’ personal information. Our policies prohibit the improper use, access, or disclosure of patients’ confidential personal information.
Who and What Information Was Involved: Data related to past and current patients of FDIP was potentially affected. While we have no evidence showing that any patient data was compromised, the cybersecurity firm was not able to definitively conclude whether any data was actually viewed or removed from FDIP’s servers. Accordingly, there is a possibility patients’ full name, date of birth, home address, account number, diagnosis, or other types of information may have been affected. FDIP does not store financial information such as credit card numbers.
What is Being Done and What You Can Do: Because this access of PHI was not for the purpose of treatment, payment or health care operations, and did not fall within any of the exceptions to the general rule prohibiting use or disclosure of an individual’s PHI without written authorization as set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) regulations, it constituted a violation of HIPAA. As required by law, FDIP will report this incident to the U.S. Department of Health and Human Services. As described above, FDIP took immediate action to address the malware attack and restore all affected data. The cybersecurity firm cleansed FDIP’s computer systems, confirmed that no malware remained, and implemented additional protections to help avoid any future incidents. We do not expect that patients will experience any harm from this unauthorized disclosure, and there is no action patients need to take at this time. However, should any patient receive any suspicious communications or become aware of other activity they believe may be related to this event, please inform us immediately.
For more Information: For more information or to ask a question, please visit our website at http://www.hawaiifdip.com or contact us toll-free at 1-877-916-0019. This phone number will remain active for at least 90 days from the posting of this notice. Protecting patient personal health information is very important to us. You may be assured of FDIP’s commitment to your security and satisfaction.