Ryan Marshall reports:
A Mount Airy medical office is assuring patients that no data was compromised in a ransomware attack on the office’s computer system discovered last year, part of what federal officials say is a dramatic increase in such incidents in recent years.
[…]
Family Medical Center in Mount Airy reported that it learned on March 9, 2023, that its computer system was accessed by a cybercriminal in a ransomware attack, according to a Sept. 20, 2024, legal notice that ran in The Frederick News-Post.
After alerting the FBI and state officials, the office hired a team to determine whether any data was compromised, and the office paid the criminals to return the encrypted files with an encryption key to unlock them, according to the legal notice.
[…]
While the computer system was accessed, “there was no evidence of a breach as all of [the] file’s records were encrypted and unintelligible to the hackers,” the notice said.
“Once the officials made sure there was no breach, we were allowed to make payments to the hackers,” the legal notice said.
Read more at Frederick News-Post.
Was This a Reportable Breach Under HIPAA?
The reporting does not mention HIPAA, and as far as DataBreaches can determine by looking at HHS’s public breach tool, this incident was never reported to HHS. If threat actors simply encrypt files on a system but do not exfiltrate them, that may not be a reportable breach under HIPAA, but if, as Marshall reports, Family Medical Center paid the criminals to “return the encrypted files with an encryption key,” doesn’t that mean that the threat actors had exfiltrated files? If that was the case, the threat actors had acquired files that they had the ability to decrypt, which would seemingly make this a reportable breach.
But is that what happened?
DataBreaches went searching for the Legal Notice to read its exact wording, as there is no notice on FMC’s website at this time. The public notice dated September 3, 2024 read:
To Family Medical Center Patients,
We are sorry to tell you about a privacy event. This letter is from Family Medical Center (FMC).
What happened?
On March 9, 2023, there was found activity in our computer system that happened as a Ransome Ware. We quickly took steps to stop that activity. We began investigating right away and hired a special team to help us, we notified law enforcement, and turned FMC system over to the authority to assure no breach was detected to help protect our customers and their individuals.
On March 9, 2023, we learned a cybercriminal accessed our system and copied our data computer system. It was definite, there was no evidence of a breach as all of file’s records were encrypted and unintelligible to the hackers.
The Department of Health and Mental Hygiene also investigated the breach, and the final step was the FBI. Once the officials made sure there was no breach, we were allowed to make payments to the hackers. This provided an encryption key to unlock all the encrypted data. OurTI experts replaced the server with all intact patient records.
Why did this happen?
Acybercriminal accessed our computer system without out permission.
What has FMC done to prevent this from happening again?
We investigated and called law enforcement. We made our computer systems even stronger than before. We do not want this to happen again.
What if Ihave a question?
fI you have any questions or concerns, please call 301-829-1887. We are sorry for any concern that event may cause.
September 20, 2024
According to FMC, then, the threat actors “copied” their system. So were the files exfiltrated? The notice does not say that they paid the criminals to get data returned, but they do say they paid for a decryptor. And how could FMC really know for certain that the threat actors didn’t exfiltrate a copy of files and then cover their tracks and encrypt the system?
Should this incident have been reported to HHS? DataBreaches does not know but the disclosure by the entity is somewhat confusing. DataBreaches will update this post if more information becomes available.