70,000 People Impacted By Three Healthcare Ransomware Attacks

Three new ransomware attacks have recently been reported by healthcare companies and their business associates. Attacks on Delaware Guidance Services for Children and Youth, Maffi Clinics and Direct Scripts, have resulted in the exposure of the protected health information (PHI) of roughly 70,000 people.

Delaware Guidance Services for Children and Youth Ransomware Attack

Up to 50,000 individuals have been impacted by a Christmas Day ransomware attack on Delaware Guidance Services for Children and Youth (DGS). A ransom was paid to unlock the encrypted files on its data servers.

After DGS restored the files, an IT company conducted a forensic analysis to find out if the attackers accessed sensitive data before encrypting the files. The company did not find any evidence that any PHI was accessed or stolen, but the possibility could not be ruled out. The data stored on the server was limited to names, addresses, dates of birth, medical data, and Social Security numbers.

DGS began sending breach notification letters to affected individuals on February 26, 2019. DGS has offered all affected persons 12 months of free credit monitoring services via MyIDCare.

DGS reported the ransomware attack to the Department of Health and Human Services’ Office for Civil Rights (OCR) and law enforcement.

Maffi Clinics Ransomware Attack

10,465 patients have been affected by a ransomware attack on Maffi Clinics; a network of plastic surgery and skin care clinics in Arizona. Some of the patients’ PHI was potentially compromised in the September 11, 2018 attack.

Maffi Clinics detected the attack promptly and remediated the incident by shutting down systems. The attackers only had access to systems for 5 hours. The prompt reaction limited the potential for harm.

A third party IT consulting company removed the ransomware and restored files from backups. No evidence was found to indicate the attackers viewed or acquired any patient data. Maffi Clinics also did not get any ransom demand.

In case the attackers accessed or downloaded files, the information they would have viewed would have been limited to patients’ names, addresses, telephone numbers, and pre-and post-operative information.

Maffi Clinics has already improved its security protections to prevent any further ransomware or malware attacks. OCR received the breach report on March 6, 2019.

Direct Scripts Ransomware Attack

9,319 individuals have been affected by a ransomware attack on Direct Scripts in Ohio. The pharmacy benefits management services provider was attacked on January 30, 2019 resulting in the encryption of files containing patients’ PHI. The information stored on the affected server was limited to the names of customers, addresses, and prescription details. Other information was contained on servers and computers not accessed by the attackers. There was no evidence found to suggest patient data misuse.

Direct Scripts has already sent notification letters to impacted individuals and has reported the breach to OCR.