The protected health information of 925 patients was compromised because of a ransomware attack on Coastal Cape Fear Eye Associates. The breach was discovered on December 5, 2017 which prompted the immediate action of Coastal Cape Fear Eye Associates to bring in IT professionals to deal with the attack and remove the ransomware. The IT consultants were successful in removing the malware and restricting harmful effects. But certain files were locked and inaccessible for a while.
The healthcare provider uploaded a substitute breach notice on its website on February 1, 2018. They were delayed in sending notifications to patients due to the inability to access certain files, which are necessary to know which patients and what PHI were affected. It was possible to access the encrypted files only recently.
According to the HIPAA Rules, it is required that healthcare organizations report ransomware attacks. The only exception not to do so is when there is low probability of PHI exposure. Ransomware usually encrypts file and has nothing to do with file access. Nevertheless, the Department of Health and Human Services’ Office for Civil Rights has given guidelines that in most cases, ransomware attacks must be reported and patients should be sent notification.
In the case of Coastal Cape Fear Eye Associates, the investigation indicated that most likely there was data access though no evidence proves that the attacker stole any information. The compromised files contained PHI such as names, birth dates, addresses, email addresses, phone numbers, Social Security numbers, driver’s license numbers, insurance card numbers, emergency contact information, medical histories, medications, diagnosis records, physical exam notes, billing and payment details, legal documents and scanned copies of Medicare cards, insurance cards and driver’s licenses.
Investigation of the ransomware attack is still ongoing and implementation of extra security controls is expected soon to prevent similar security breaches in the future.