Ransomware Attack on Sioux City Eye Clinic Potentially Exposed the PHI of 40,000 Patients

The Jones Eye Clinic and CJ Elmwood Partners, L.P, located in Sioux City, IA, have discovered the protected health information (PHI) of approximately 40,000 patients has potentially been accessed by unauthorized individuals.

The data breach was due to a ransomware attack on the information system used for booking appointments and billing patients. The breach did not affect electronic medical records because they were stored in a different system that the attacker was not able to access.

Jones Eye Clinic found out about the ransomware attack on August 23, 2018. The investigation revealed the malicious software had been deployed the previous evening. The attacker demanded a ransom in exchange for the keys to decrypt files; however, the healthcare provider did not pay the ransom and was able to restore the encrypted files from backups. Jones Eye Clinic said it was able to record data within 24 hours.

Ransomware is typically used only to extort money from victims. Evidence of data theft was not found, but it was also not possible to rule out PHI theft with a high degree of certainty. Jones Eye Clinic therefore decided to offer all affected patients one year of free credit monitoring services. Patients have now been notified of the breach by mail and have until January 19, 2019 to register for the complimentary credit monitoring services.

The attacker potentially accessed the following information: Full names, birth dates, addresses, healthcare record numbers, service dates, information about surgical procedures, and appointment information. Insurance policy status, Social Security numbers, and the claims details of some patients may have also been exposed. Victims of the breach had previously received medical services at Jones Eye Clinic or its affiliated surgery center, CJ Elmwood Partners, from January 1, 2003 to August 23, 2018.