DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Mount Airy medical office says it was hit by ransomware attack

Posted on October 11, 2024 by Dissent

Ryan Marshall reports:

A Mount Airy medical office is assuring patients that no data was compromised in a ransomware attack on the office’s computer system discovered last year, part of what federal officials say is a dramatic increase in such incidents in recent years.

[…]

Family Medical Center in Mount Airy reported that it learned on March 9, 2023, that its computer system was accessed by a cybercriminal in a ransomware attack, according to a Sept. 20, 2024, legal notice that ran in The Frederick News-Post.

After alerting the FBI and state officials, the office hired a team to determine whether any data was compromised, and the office paid the criminals to return the encrypted files with an encryption key to unlock them, according to the legal notice.

[…]

While the computer system was accessed, “there was no evidence of a breach as all of [the] file’s records were encrypted and unintelligible to the hackers,” the notice said.

“Once the officials made sure there was no breach, we were allowed to make payments to the hackers,” the legal notice said.

Read more at Frederick News-Post.

Was This a Reportable Breach Under HIPAA?

The reporting does not mention HIPAA, and as far as DataBreaches can determine by looking at HHS’s public breach tool, this incident was never reported to HHS.  If threat actors simply encrypt files on a system but do not exfiltrate them, that may not be a reportable breach under HIPAA, but if, as Marshall reports, Family Medical Center paid the criminals to “return the encrypted files with an encryption key,” doesn’t that mean that the threat actors had exfiltrated files? If that was the case, the threat actors had acquired files that they had the ability to decrypt, which would seemingly make this a reportable breach.

But is that what happened?

DataBreaches went searching for the Legal Notice to read its exact wording, as there is no notice on FMC’s website at this time. The public notice dated September 3, 2024 read:

To Family Medical Center Patients,

We are sorry to tell you about a privacy event. This letter is from Family Medical Center (FMC).

What happened?

On March 9, 2023, there was found activity in our computer system that happened as a Ransome Ware. We quickly took steps to stop that activity. We began investigating right away and hired a special team to help us, we notified law enforcement, and turned FMC system over to the authority to assure no breach was detected to help protect our customers and their individuals.

On March 9, 2023, we learned a cybercriminal accessed our system and copied our data computer system. It was definite, there was no evidence of a breach as all of file’s records were encrypted and unintelligible to the hackers.

The Department of Health and Mental Hygiene also investigated the breach, and the final step was the FBI. Once the officials made sure there was no breach, we were allowed to make payments to the hackers. This provided an encryption key to unlock all the encrypted data. OurTI experts replaced the server with all intact patient records.

Why did this happen?

Acybercriminal accessed our computer system without out permission.

What has FMC done to prevent this from happening again?

We investigated and called law enforcement. We made our computer systems even stronger than before. We do not want this to happen again.

What if Ihave a question?

fI you have any questions or concerns, please call 301-829-1887. We are sorry for any concern that event may cause.

September 20, 2024

According to FMC, then, the threat actors “copied” their system. So were the files exfiltrated? The notice does not say that they paid the criminals to get data returned, but they do say they paid for a decryptor.  And how could FMC really know for certain that the threat actors didn’t exfiltrate a copy of files and then cover their tracks and encrypt the system?

Should this incident have been reported to HHS? DataBreaches does not know but the disclosure by the entity is somewhat confusing. DataBreaches will update this post if more information becomes available.

Category: Health DataMalwareU.S.

Post navigation

← Cyber resilience act: Council adopts new law on security requirements for digital products
Payroll-related cyberattack led to breach of Mass. state workers’ information, comptroller says →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.