The Hospice of San Joaquin recently notified the California Attorney General’s Office that it had suffered a ransomware attack on July 2.
The notification, signed by Rebecca Burnett, their CEO, states that:
The data accessed may have included personal information such as full name, patient ID number, diagnoses, home address and other sensitive information. Though the malicious software accessed our servers, we do not believe, or have any indication your information has been utilized, disseminated or disclosed to unauthorized parties.
And that’s pretty much the extent of the details provided about the incident, although the web site version includes a sentence that donor and vendor information was not affected by this incident.
Did the hospice pay any ransom? Were they able to restore fully? How many patients had PHI on the server? And what kinds of PII did the patients’ families have on the server, if any? There’s a lot we still don’t know about this incident.
“The data accessed may have included personal information such as full name, patient ID number, diagnoses, home address and other sensitive information.”
This is what happens when the head of IT doesn’t get to speak for occurrences in his or her department. Nearly every ransomware letter states the threat actor has zero interest in your personal files. But that doesn’t even matter, considering the entire purpose of Ransomware is encryption. No one’s data was accessed. Nothing was leaked. It was encrypted….