One of the newer incidents appearing on HHS’s public breach tool this week is a report from Mind & Motion, LLC in Georgia. Mind & Motion offers various types of therapeutic modalities.
On September 30th, 2018, they discovered that their server had been attacked with ransomware.
In a notification to patients, they write:
We have learned that your personal information potentially including: name, address, birthday, gender, medical history, social security number, medical diagnosis, insurance information, and medical records may have been compromised.
Ouch. It’s a great notification letter in terms of transparency, though, as it also details findings by the external consultants they brought in to assist and the steps they are taking to prevent a similar incident in the future. I’m sure some readers will pick up on all the past detritus from attacks and wonder why nothing got detected or prevented sooner, but it is what it is and it sounds like they have taken serious steps to improve their data security. I wish them well.
According to their report to HHS, 16,000 patients have been notified.
You can read their entire web site notice, below:
Mind-and-Motion-Breach-Notification-Letter
Does anyone know what security products they used on the endpoint and servers, We should start a list to call out security vendors that make excuses for not working, and manage service providers that misconfigure solutions.