It appears that a ransomware incident involving VPN Solutions LLC may have affected a number of covered entities, although so far, DataBreaches.net has only identified two confirmed cases:
Surgery Group SC
On December 17, Surgery Group SC in Illinois notified HHS about an incident impacting 500 patients. DataBreaches.net interprets that 500 number as a marker in situations in which the entity may not yet have figured out how many have actually been affected. That does seem to be the case in this incident.
According to a notice on Surgery Group SC’s website, they were notified of a data security incident experienced by VPN Solutions LLC (“VPN”). Surgery Group’s vendor, Physicians Healthcare Solutions, LLC (PHS) uses VPN to host its databases — databases that contain the personal and protected health information of patients.
Surgery Group was notified of the incident on October 31. Surgery Group’s notice does not indicate when the attack occurred, but they note that VPN hosts and maintains the practice management and EHR platform that they use. Those records include patients’ clinical, demographic, and financial and claims information such as amounts of charges and payment history.
Access 24.7.365 does not appear to be the current situation, because Surgery Group reports:
The data security incident experienced by VPN resulted in the unavailability of the personal information of Surgery Group’s patients. […] Despite numerous, repeated requests from PHS and Surgery Group, VPN has not restored the VPN Platform and has been unable to provide Surgery Group with a date by when the VPN Platform will be restored and fully functional. VPN has indicated that it currently does not believe that any of Surgery Group’s patient information has been viewed or acquired by an unauthorized party.
Due to the unavailability of the VPN Platform that contains patient contact information, Surgery Group is unable to notify its patients of the incident by mail. Patients with questions may call Surgery Group at (630) 208-7874 between 9:00 a.m. and 5:00 p.m. CST, Monday, Tuesday, and Thursday, and between 9:00 a.m. and 4:00 p.m. CST, Wednesday and Friday.
Apple Blossom Family Practice
Apple Blossom Family Practice in Virginia issued an identical notice on their website. Their report to HHS on December 16 also seemed to use a 500 marker report.
There does not seem to be any notice on the vendor’s website at this time, and DataBreaches.net was unable to find any dedicated leak site that listed an attack on VPN Solutions. DataBreaches.net reached out to VPN Solutions via email to ask for more details, but no reply was immediately forthcoming. This post will be updated if or when more information becomes available.