On September 1, Four Winds Hospital in Katonah, New York discovered that they had been attacked. On November 14, they issued a statement on their site and in local media. From that statement:
What happened? In September 2020, Four Winds Hospital in Katonah was the victim of a ransomware attack that prevented the Hospital from accessing its computer systems. We learned of the attack on September 1st and we were not able to access our computer networks for two weeks.
How did the Hospital secure patient data? We immediately notified NYS and federal law enforcement agencies which began an investigation of the incident and the cybercriminals behind it. We quickly locked-out the cybercriminals from continuing to access our systems. We also engaged cybersecurity experts to assist us in responding to the attack and help us to determine what, if any, patient data was impacted. They obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified. The Hospital has taken steps to prevent a reoccurrence.
They obtained “evidence that the cybercriminals deleted any files in their possession?” That suggests that the hospital paid ransom, although they do not say that they did. In any event, any “evidence” of data destruction cannot be relied upon, of course.
What information was involved? Our forensic investigation determined that encrypted data fields, email, and any information in cloud based and encrypted programs were NOT accessed by the cybercriminals. The patient electronic medical record system was NOT accessed. The cybercriminals were able to access password protected data files. We then conducted a file-by-file search to determine whether those files contained any personal patient information. That search revealed that some files that could have been accessed during the time the cybercriminals retained possession of them included: lists of patients from 1983 to the present by name and medical record number; a small subset of patient lists (approximately 100 records) that also contained a patient’s social security number; some files dating back to 2013 that contained miscellaneous documents that included limited patient treatment information; and the social security number of patients who were Medicare members admitted earlier than 2019 during the time that Medicare cards displayed that number.
You can read the full statement on their site, but once again, why was so much old data available? All of those patients need to be contacted whereas moving old files like that offline likely would have saved the hospital a lot of time and money.
There is no entry on HHS’s public breach tool for this incident — at least not yet.