Update of March 16: This was reported to HHS as affecting 105,094 patients. Bone & Joint has not replied to DataBreaches’ inquiry as to whether this was a ransomware incident or not.
The Bone & Joint Clinic in Wisconsin has notified current and former employees as well as current and former patients of a data security incident that they describe as a “network disruption.”
According to their notification of March 10, the disruption was experienced on January 16, and the personal and protected health information may have been involved: names, dates of birth, Social Security numbers, home addresses, phone numbers, health insurance information, and diagnosis and treatment information.
As we often read in such notices, Bone & Joint claims they are not aware of any evidence of the misuse of any information involved in the incident. They sent notification letters to individuals on March 7 offering complimentary identity protection services for 12 months through IDX.
There does not seem to be any substitute notice on Bone & Joint’s website at this time and the incident does not yet appear on HHS’s public breach tool so we do not yet know the total number affected. But we also do not know whether this was a ransomware attack or not because the press release makes no mention and no denial of any ransomware or ransom demands.
DataBreaches sent an email inquiry to Bone & Joint asking if this was a ransomware incident and how many people were notified that their protected health information was involved. This post will be updated if a reply is received.