On March 27, Brandywine Urology Consultants in Delaware began notifying the U.S. Department of Health and Human Services (HHS) and their patients about a ransomware attack. The attack occurred on January 25, and the practice became aware of it on January 27.
Importantly, they state that the electronic medical records system (“EMR”) was not attacked and the information contained in those records was not compromised. At the time of their March 28 website notice, however, the practice noted that their outside consultants investigating the incident had not yet completed their investigation so it was still possible that protected health information may have been accessed or disclosed. They hope to issue an update soon.
In terms of what might have been accessed, they note that:
It is possible, though we believe that it is unlikely, that your personal and financial information, which may include your name, address, social security number, medical file number, claims information, and other financial and personal information, was compromised. We will inform you as soon as possible of the results of our ongoing investigation.
You can read their full notice on their site. I applaud their statement about how to obtain additional information — they actually provide a name, and a phone number, and an email address, which this site promptly used to inquire as to what type of ransomware was injected, how much ransom was demanded, and why the practice decided not to pay it. No response was received by publication time, but this post will be updated if a reply is received.
The incident was reported to HHS on March 27 as impacting 131,825 patients.