The Susan M. Hughes Center is a cosmetic surgery and medical spa with locations in New Jersey and Pennsylvania. On December 27, they notified HHS of a ransomware incident affecting 11,400 patients.
The following is their statement about the incident:
The Susan M. Hughes Center is committed to maintaining the privacy and security of patient information we maintain. This notice is to inform you of an incident involving some of that information.
On August 30, 2016, we became aware of a ransomware attack of our computer system. We immediately began an investigation, reset passwords, removed the server from the system, and began using back up to our system. We engaged a leading forensic firm to assist in the investigation and we determined that an unknown person remotely accessed a server which contained files that may have included patients’ names, telephone numbers, dates of service, types of service or treatment, and amounts paid.
We have no indication that the patients’ information has been used in any way, but wanted to notify you of this incident and assure you that we take it very seriously.
We began mailing letters to affected patients on December 27, 2016, and have established a dedicated call center to answer any questions. If you believe you are affected but do not receive a letter by January 14, 2017, please call 1-866-263-4159 between 9 a.m. and 7 p.m. Eastern Time, Monday through Friday.
We regret any inconvenience or concern this may have caused our patients. To help prevent something like this from happening in the future we are working with a security firm to enhance the security of our systems.
They seem to have taken all the right steps, but it is not clear why it took them from August 30 to December 27 to send notifications to patients. In light of the most recent OCR settlement with an entity who did not notify patients promptly, I wonder what HHS OCR will do with this one where there has been an even longer gap between discovery and notification to patients.
The Susan M. Hughes Center isn’t the only cosmetic surgery center to have a breach reported on this site today, though. Check back this afternoon for a report on another cosmetic surgery center that had a data leak that exposed patient information to the world without any login required.