DataBreaches.net has received a statement from Columbia Surgical Specialists in Spokane about the ransomware incident that they recently reported to HHS as impacting up to 400,000 patients. Subsequent and ongoing investigation suggests that the number affected may be substantially lower.
According to the statement sent to this site, the practice became aware of the attack on January 9.Investigation by Intrinium, their IT security provider, could not definitively conclude that no ePHI had been accessed or exfiltrated, but because it could have been exposed, all potentially impacted patients are being notified.
The encrypted files/systems contained patient names and, potentially, drivers’ license, social security numbers and other protected health information.
Ransom Paid
Columbia Surgical Specialists paid the ransom demanded. As they explain in their notification:
Yes, we paid $14,649.09. We received notice from the people that encrypted the files just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee. We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data. (Again, we believe the information was locked, but not obtained, by the perpetrators). The payment came from the doctors who own Columbia, and will not be passed on to our patients.
The full notification appears below. It sounds like they still have a lot of work ahead of them, including figuring out how the ransomware got injected, how to prevent a recurrence, and how they might segregate data differently or disconnect some from the internet so that future attackers do not have access to so much data if or when there is another successful attack. But their experience is a reminder at how challenging it can be to provide urgent patient care or surgery if you suddenly were to lose access to the patient’s records.
Notification Letter