A ransomware attack was reported by Urology Austin as affecting 279,663 patients.
From their notification letter:
On January 22, 2017, Urology Austin was the victim of a ransomware attack that encrypted the data stored on our servers. Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation. We also began to take steps to restore the impacted data and our operations.
What information was involved?
Our investigation indicates that your personal information may have been impacted by the ransomware, including your name, address, date of birth, Social Security number, and medical information.
Note that their notification does not indicate that data were copied or exfiltrated at all. At the present time, they do not believe any data was actually taken or misused.
Update: In reading media coverage of this incident, I read the following on KXAN:
Gregg Philipson says he almost threw the letter away because he hasn’t been a patient at Urology Austin for more than 20 years.
Why were those data still on a system connected to the internet? How many notifications is the practice having to send because they didn’t take data offline in an encrypted archive or something? I know that this is a common problem, but I don’t think I’ve ever seen HHS enforce over this type of thing. Have you?