Central Colorado Dermatology (CCD) has informed more than 4,000 patients that hackers have potentially accessed some of their protected health information (PHI).
An unauthorized individual accessed CCD’s computer system and downloaded ransomware on a server. Patients’ medical files and charts were not compromised; however, some files containing PHI and copies of fax communications were encrypted.
An investigation was launched to determine whether any PHI was accessed or stolen but it was not possible to established with a high degree of certainty whether any PHI was viewed or downloaded. Data theft is a possibility, as software had been downloaded onto the server that could have been used to exfiltrate data.
The records that might have been accessed include the following information: Names, email addresses, addresses phone numbers, dates of birth, Insurance information, Social Security numbers, insurance payment codes and fees, dates of service, clinical data, diagnoses, medical conditions, treatment details, diagnostic studies, lab test results, copies of CCD reports, and information sent to CCD by other healthcare providers by fax. The investigation established that the server was remotely accessed on June 5, 2018. The ransomware was deployed the same day.
When the attack was identified, CCD took steps to protect data and prevent remote server access. A cybersecurity company was retained to assist with the investigation. After securing its server and network and removing the malware, the cybersecurity company continued to keep track of the network for a number of weeks to make sure that access had been blocked and no further attempts were main to access the server and network.
CCD has also modified its password policies and chanced how its computer network can be remotely accessed. New anti-virus software has been installed and other security updates have been made. CCD continues to be guided by security experts and the process of enhancing security is continuing. CCD has also changed the settings on its fax software to ensure that digital copies are not automatically created and stored on the network.
Notification letters have now been mailed to all 4,065 patients whose PHI was potentially accessed. All patients affected by the breach were provided with 12 months of credit monitoring services without charge.