On February 26, Delaware Guidance Services for Children and Youth, Inc. (“DGS”) sent a letter to parents and guardians of their young patients. The letter explained that on December 25, 2018, DGS had become the victim of a ransomware attack that had locked up the patient records. Those records contained personal information, such as name, address, birth date, social security number, and medical information.
To secure release of the records, DGS was required to pay a “ransom,” in exchange for a de-encryption “key” that unlocked the records.
Their notification letter, signed by their Executive Director, Jill Rogers, MSN, does not say how much DSG paid for the decryption key.
Subsequent investigation did not provide any indication that records had been accessed, corrupted, or exfiltrated, but DGS decided to notify everyone and to offer them credit monitoring services and other supports.
You can read their full notification letter below. DSG does not explain why they opted to pay ransom. Did they not have a current backup that they could use to restore their database or was their some other reason or concern?
Patient Privacy Letter 2019