On August 30, HHS added Queen Creek Medical Center d/b/a Desert Wells Family Medicine in Arizona to its public breach tool. The entity had reported that 35,000 patients were impacted by a breach involving a hack of the network.
We now have more details on that incident available thanks to a public disclosure of their notification and a copy of their letter to patients, both of which are linked from their web site.
According to their notification and letter, which was first spotted by Health ITSecurity, on May 21, 2021, Desert Wells experienced a ransomware incident that impacted many of its IT systems.
Investigation into the incident found no evidence that any sensitive data was exfiltrated, but
the unauthorized individual who accessed the network corrupted the data and patient electronic health records in Desert Wells’ possession prior to May 21, 2021 are unrecoverable despite our exhaustive efforts to try to recover our patients’ sensitive information.
The practice did have backups in place, but report that the backup data was also corrupted by the unauthorized individual.
It is not clear from the notification whether the threat actor was just incompetent at encrypting files or if the corruption of files and backup was intentional to pressure the entity into paying ransom to get a copy that the threat actor may have exfiltrated without it being detected by investigators.
Desert Wells makes no mention of any ransom demand or negotiations although they do describe the incident as a ransomware attack.
This information in the involved patient electronic health records may have included patients’ names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information.
Desert Wells’ notification gives a clue as to the massive task that lies ahead:
Desert Wells will continue to expend every effort to rebuild patients’ electronic health records in a new and enhanced electronic medical record system. This includes compiling our patients’ data from other sources, including from medical specialists, previous medical providers, hospitals, pharmacies, imaging centers, and labs, among others. We will request that patients update necessary forms during this process.
When you think about the enormity of the task, it may become clearer why Wood Ranch Medical decided to close their practice in similar circumstances.
In a companion letter to patients, Dr. Daniel Hoag addresses the matter forthrightly, informs patients that they are being offered credit monitoring and identity theft restoration services should they be needed, and ends the letter with a very human note:
We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause. I’m sure many of you have been reading about other healthcare providers in the community, and around the country, that have been impacted by cybersecurity events. For our part, we are continuing to take steps to enhance the security of our systems and the data entrusted to us, including by implementing enhanced endpoint detection and 24/7 threat monitoring, and providing additional training and education to our staff.
We thank our loyal patients for your patience and understanding, as we continue to work day and night to bring you the high quality care and service you deserve.
This attack never showed up on any of the ransomware leak sites that DataBreaches.net checks on a frequent basis. Nor has any data allegedly from any attack shown up for sale or free on any forum where such data normally appear.