DOCS Medical Group is an urgent care and primary care provider in Connecticut with multiple locations. They also provide telemedicine services.
On September 7, DOCS detected abnormal activity that was quickly identified as a ransomware attack.
According to their notification letter to patients dated November 7, an unspecified number of patients had their information on a server that had been targeted. The information included demographic information (e.g. name and contact information), medical history, reasons for visiting DOCS Medical Group, Social Security number, insurance information, and various types of financial information. DOCS accepts health insurance and also has its own UR Health plan that patients can subscribe to.
The ransomware attack reportedly did not affect electronic medical records or billing systems, and DOCS Medical Group was “fully operational at all times.”
The notification does not indicate what ransomware group hit the practice, whether files were locked, and if they were locked, whether DOCS was able to decrypt them or restore them from backup. Nor does the notification indicate whether any ransom demand was received and if it was, whether DOCS engaged with the threat actors at all or paid them.
But perhaps one of the most intriguing statements in the notification was this: “The ransomware attack did not occur due to any act or omission of DOCS or its staff.”
So then how did the threat actors gain access?
Later in the notice, they state: “DOCS takes its obligation to protect the privacy and confidentiality of our patients’ personal information and we expect our vendors to do the same.” Why were vendors mentioned here? Was this breach related to a vendor in any way? Is that why they said the attack did not occur due to any act or omission of DOCS or its staff?
DataBreaches sent an email to DOCS Medical Group yesterday asking for more details about the ransomware attack and for an explanation of certain statements in their notification. No reply has been received as yet, and the incident does not yet appear on HHS’s public breach tool. This post will be updated when more information becomes available.