On April 10, Retina & Vitreous Associates of Texas issued a press release about a security incident discovered in February.
They write, in part, “On February 1, 2023, Retina & Vitreous became aware of unusual activity within its network and discovered that there had been unauthorized access to the environment…… On February 15, 2023, the investigation determined that some personal and protected health information may have been acquired without authorization in connection with the incident.”
They never mention the word “ransomware” or any ransom demand in their notification.
But now let’s replace that “may have been acquired” with “definitely was acquired.” Approximately 170 GB of files including protected health information of patients, financial data of the practice, and human resources files were subsequently dumped on the dark web by the BianLian threat actors.
This incident was reported to HHS as affecting 35,766 patients.
It appears that Retina & Vitreous made their notifications before BianLian dumped the data, so they could not have disclosed the dump in their press release, but should they have alerted patients that this was a ransomware incident with a ransom demand? The law may not require it explicitly but should that be considered a best practice in notification by now?