Altus Baytown Hospital system hit by Dharma ransomware

 

On November 2, Altus Baytown Hospital System posted this notice of breach:

We are posting this statement on our website as a precautionary measure and as part of our commitment to patient privacy. Altus Baytown Hospital and its affiliates and related entities (collectively, “ABH”) take our patients’ privacy seriously, and it is important to us that you and the community that we serve are made fully aware of a recent incident which potentially involves personal information of ABH patients.

On approximately September 3, 2018, we discovered that an unauthorized party gained access to our computer system and infected the system with malware. The malware encrypted many of ABH’s records (which made them inaccessible to ABH) to extort money from ABH. This is commonly referred to as “ransomware.” Although our electronic health records were not impacted, some of the affected files contained patient information, including patient names, home addresses, dates of birth, social security numbers, driver license numbers, credit card information, phone numbers, and medical information.

Shortly after we learned of the incident, we began an internal investigation and hired an outside consultant to assist us in decrypting and recovering our records. As a result of our investigation, ABH believes that the records were simply encrypted and there is currently no indication that the information itself has otherwise been accessed or used by any unauthorized individual.

Nevertheless, out of an abundance of caution, we recommend that all patients of ABH take immediate steps to protect themselves from any potential misuse of their information:

• — Register a fraud alert with the three credit bureaus listed here, and order credit reports:
  1. Experian: (888) 397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
  2. TransUnion: (800) 680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
  3. Equifax: (800) 525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241.

• — Monitor account statements, explanation of benefits, and credit reports closely.
• — Do not provide any personal information to anyone requesting information from you by telephone or e-mail. Be wary of scams that may appear to offer protection but are really trying to get personal information from you. If you have any suspicions about the authenticity of an e-mail or text, do not click the links in it.
• — If you believe any personal information has been compromised, notify law enforcement to assist you. Review helpful sites to learn more about consumer protection related to information compromise, i.e. AHIMA’s Medical Identity Theft Response Checklist for Consumers, which can be found at http://bit.ly/2pHDcqV.

We are keenly aware of how important our patients’ personal information is to them, and we apologize for any inconvenience. We are committed to providing quality care, including protecting our patients’ personal information. We have been working with our IT consultants to review and analyze the security of our computer systems, and we have updated certain technical, administrative and physical safeguards to ensure the security and confidentiality of your data in the future.

If you have any questions, please send an e-mail to [email protected] with your questions, full name, and contact information, and we will reach out to you directly.

Thank you for your patronage of ABH, it remains a great pleasure of ours to serve this outstanding community.

Sincerely,
ABH Compliance Committee

¹These affiliates and related entities include Altus Women’s Center of Baytown, LP, Oprex Surgery (Baytown), LP, Clarus Imaging (Baytown), LP, Clarus Imaging (Beaumont), LP, Zerenity Baytown, LP, and Altus Radiation Oncology Baytown, LP.

Altus Baytown Hospital Ransomware Incident

Frequently Asked Questions (“FAQs”)

• What happened? On September 3, 2018, Altus Bay Hospital’s (“ABH”) servers were infected with malware which resulted in the encryption of numerous files maintained by ABH. ABH’s outside IT consultant discovered that the malware was a strain of Dharma ransomware. ABH’s back-up files were successfully decrypted and all ABH files were restored.
• What information was disclosed about ABH patients? There are numerous files maintained by ABH that were encrypted on the server. At this point, it appears that these files were simply locked and left in place with the intent to extort money from ABH to gain access to our files. The files contained certain patient information including names, addresses, phone numbers, social security numbers, driver’s license numbers, credit card information, and health records. There is no indication that any of this information was actually acquired by the intruders or otherwise disclosed to anyone. However, out of an abundance of caution, ABH has provided all of its patients with notice of this incident so that they can take appropriate steps to safeguard their personal information.
• Were all Altus Health System entities involved in this incident? Only Altus Baytown Hospital’s servers were involved in this incident. However, information from affiliated and related ABH entities was stored on these servers. These affiliated and related ABH entities include Altus Women’s Center of Baytown, LP, Oprex Surgery (Baytown), LP, Clarus Imaging (Baytown), LP, Clarus Imaging (Beaumont), LP, Zerenity Baytown, LP, and Altus Radiation Oncology Baytown, LP.
• What did you do when the malware was discovered? As soon as the ransomware was discovered, ABH retained an outside IT consultant to investigate the infection and to begin to work to decrypt and recover the infected files. In addition, ABH’s IT consultant investigated the attack and took steps to ensure that the ransomware was removed from the system. ABH continues to implement additional safeguards to prevent future attacks from occurring to the system.
• Has the intrusion been contained? Yes. Upon discovery, ABH’s outside IT consultant investigated the attack and ensured that the ransomware was removed from the system. ABH continues to implement additional safeguards to prevent future attacks from occurring.
• What steps are you taking to ensure that it does not happen again? ABH continues to invest in our internal processes and systems to reduce the likelihood that such an incident ever happens again. We have also engaged external risk and security consultants to aid ABH in bolstering its cybersecurity infrastructure.
• Could I be liable for any fraud related to this Incident? No. You should call your card’s issuing bank if you discover any suspicious, unusual, or fraudulent activity on your card.
• Should I contact ABH to see if my credit card or debit cards were affected? No. You should contact your card’s issuing bank if you discover any suspicious, unusual, or fraudulent activity on your card.
• Will my card’s financial institution tell me if I was impacted? No. You should closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity by calling the number on the back of your card. As an additional precaution, you may want to change your PIN number on your debit card.
• Can I still use my credit or debit card or should I call to get a new one? Yes. You can continue to use your card. You should closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity by calling the number on the back of your card. As an additional precaution, you may want to change your PIN number on your debit card.
• I received a call, text or e-mail from someone who said they were from ABH asking for my social security number, credit card number, and/or other personal information. What should I do? Do not provide any information. ABH will not call, text or e-mail you to ask you for personal information. Be wary of scams that may appear to offer protection but are really trying to get personal information from you. If you have any suspicions about the authenticity of an e-mail or text, do not click the links in it. Please go directly to the sites you need to access.
• Is there anything I can do? If you do find suspicious activity on your credit or debit card or in your credit report, call the bank that issued your card to report the unauthorized charges immediately.We understand that you may want more information on other actions you might consider. Additional information generally about data breaches can be obtained from the Federal Trade Commission by contacting the agency toll-free at 1-877-ID-THEFT (438-4338) (TTY: 1-866-653-4261), or writing to Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

[Read more of the notice on their site]

Thanks to “Russy,” the reader who made us aware of this incident. 

Updated Nov. 16:  This incident was reported to HHS by Oprex Surgery as impacting 40,000.  I checked with Altus to doublecheck whether the 40,000 was just for Oprex Surgery or was for Altus Baytown and the affiliates. A spokesperson informed me that it was for Altus Baytown and its local affiliates.