Massachusetts-headquartered Doctors’ Management Service, Inc. provides medical billing services to physicians and hospitals. You may never have heard of them, but your hospital or physician might have provided them with your protected health information if your doctor or hospital contracts with them.
This week, DMS sent notice of what they strangely describe as a “recent incident” that impacted their computer system. The incident, which may have exposed patients’ name, address, date of birth, Social Security number, driver’s license number, insurance and Medicare/Medicaid information and numbers, and medical information, including some sensitive diagnostic information, was first detected On December 24, 2018, when they noticed a problem with their network.
An investigation into the problems revealed that encryption malware was affecting the server. Further investigation revealed that it was the GandCrab ransomware. The initial unauthorized access to the network took place on April 1, 2017 through Remote Desktop Protocol (RDP) on a DMS workstation.
DMS did not pay the ransom and was able to restore from backup.
But attackers had access to the network beginning on April 1, 2017 and the ransomware was first detected some time after December 14, 2018? I wouldn’t call that a “recent incident.”
DMS’s notification, signed by their CEO, Timothy DiBona, emphasizes that the investigation did not uncover any evidence of unauthorized access to, use of, or exfiltration of any patient data.
This incident, which DMS is reporting to HHS, affected patients from a number of their provider-clients. The following is a list of affected entities:
Anjum Baqai Associates
Arcangel Neurological Consultants
AT Care PLLC
AUM Healing Center
Bell Mental Health Associates
Beverly Surgical Associates
Bhealthy Primary Care
First Choice Community Medical Services
Holy Family Medical Specialty
Lowell General Inpatient Specialists
NE Pulmonary & Sleep
New England Inpatient Specialists
New England Pulmonary & Sleep Specialists
Today’s Wellness PLLC
Incare LLC
Pricipes Medical Group
Joseph Schwartz PLLC
Neuro Institutue of New England
New England Reconstructive & Aesthetic
Northwoods Surgical, PLLC
Pathways Healthcare LLC
Peaceful Soul
Personalized Medicine
Pinnacle Medical Group
Post Acute Cardiology
Precision Surgical Specialists of Lowell
Premiere Care
Saxony Primary Care PLLC
Sports Medicine Health LLC
Surgical Group of Norwood
The Wholeness Center
Theresa M Smith Practice
Thompson Medical Associates
WLB Rehabilitation Medicine
Heywood Athol Inpatient Specialists PLLC
Winchester Hospital Inpatient Specialists
Dutch Connection LLC
New England Community Medical Services
The notification, does not indicate how many patients are being notified, but describes steps DMS is taking to strengthen its security to prevent a recurrence.
You can read the full notification below.
CON-MT-Notice-of-Data-Security-Incident-for-DMS