After a ransomware attack the cyber criminals posted a neurology practice’s patient data on the Dark Web where it remained available for ten days. Protected health information (PHI) like this is valuable to criminals who can use it to commit insurance fraud and obtain prescription drugs.
In June, Goodman Campbell Brain and Spine in Indianapolis, notified 362,833 individuals of the data breach that occurred in May. The PHI exposed potentially included names, birth dates, email addresses, medical record numbers, patient account numbers, phone numbers, physician names, treatment information, addresses, insurance information, dates of service, and Social Security numbers.
Goodman Campbell discovered on May 20 that its computer network and communication systems had been “compromised through a sophisticated ransomware attack.”
The practice said it immediately notified the FBI cybercrimes division and engaged an incident response firm to investigate the incident and restore systems. The attacker was not able to access the practice’s EMR system, but they did successfully access appointment schedules, insurance eligibility documentation, and referral forms.
In a June 17 update on its website, Goodman Campbell explained that its phone systems had been restored, but not its email system. On July 19 the practice updated its notice, assuring patients and employees that it had resumed all clinical operations and had fully restored its communication systems.
From its June 17 update:
“While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the Dark Web, which is a portion of the internet that cannot be found by search engines and is not viewable in a standard web browser and is commonly used in these types of attacks.”
Prevention is So Much Less Expensive
While details of what went wrong are not public knowledge, Goodman Campbell stated that it was taking steps to mitigate the attack including “implementing new monitoring solutions to protect against future cyber attacks.” All healthcare data breaches of greater than 500 individuals are investigated by the Office for Civil Rights (OCR), and the investigators will evaluate the extent and completeness of the practice’s HIPAA compliance. If they failed to follow the Security Rule, or didn’t have a Risk Analysis – Risk Management Plan in place, they may pay civil money penalties, or a settlement to conclude the investigation.
Full HIPAA compliance, with a regular annual Risk Analysis, and year round Risk Management can prevent loss of patient data and save costs and time required to defend investigations and lawsuits.