Mind & Motion Developmental Centers of Georgia has discovered hackers installed malware and ransomware on one of its servers, which potentially gave them access to the protected health information (PHI) of patients.
The ransomware was installed on a server that stores Mind & Motion medical records. The types of information that were possibly compromised include patients’ names, birth dates, addresses, gender, Social Security numbers, health histories, medical diagnoses and health insurance details.
Mind & Motion found out about the ransomware attack on September 30, 2018. TeamLogic IT investigated the breach and tried to figure out how the attack happened. The IT vendor also helped in the recovery of data that became inaccessible because of the ransomware. Aside from the ransomware infection, TeamLogic IT found a spam emailer and an inactive keylogger on the server.
TeamLogic was able to successfully remove all malware and associated accounts. There was no evidence found to indicate the malware allowed the attackers to gain access to the financial data of patients and the center’s scheduling and electronic billing systems remained secure at all times.
Since the discovery of the attack, Mind & Motion has not been made aware of any misuse of PHI. It is assumed that the attacker’s intention was solely to extort money from Mind & Motion. Mind & Motion does not believe patients will experience any adverse consequences due to the cyberattack.
Mind & Motion has reset all passwords and is now enforcing the use of complex passwords on all accounts. The center also introduced a policy that forces users to change their passwords more often. Professional anti-malware solutions have been installed on computers and servers and they will be scanned on a regular basis. Mind & Motion has also employed encryption on all computers and is now using new anti-spam technology to defend against phishing attacks.
After detecting the breach, Mind and Motion employed a compliance consulting company to ensure that the center complies with all HIPAA requirements. The consulting company will also train all employees on HIPAA compliance in the next 30 days.
On November 30, 2018, Mind & Motion submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights. The breach report shows up to 16,000 patient records were possibly compromised.