Columbia Surgical Specialists have announced a ransomware attack on their facility has potentially compromised the PHI of up to 400,000 patients.
Columbia Surgical Specialists (CSS), based in Spokane, Washington, discovered the attack on January 9, 2019. CSS immediately launched an investigation into the breach, and contracted Intrinium, an IT security provider, to assist with the investigation.
Investigators discovered that the hackers had deployed ransomware to encrypt files on CSS’s servers. The encrypted files contained patient information such as names, driver’s license numbers, Social security numbers, and other types of protected health information.
CSS told HIPAA Journal their investigators “went through our systems with a fine-tooth comb,” and eventually determined that it was unlikely that the hackers had stolen any of the sensitive information, “but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee.”
Columbia Surgical Specialists that patients are at low risk of hackers using their data for nefarious purposes and becoming victims of fraud. Following HIPAA’s Breach Notification Rule, notification letters were sent to affected patients out of an abundance of caution.
CSS has addressed the vulnerability that hackers exploited to gain access to the network server. Columbia Surgical Specialists stated that it is in the process of reviewing internal protocols and procedures to mitigate the risks of a future ransomware attack occurring.
Columbia Surgical Specialists revealed that they agreed to pay the hackers $14,649.09 to recover the patient files. CSS paid the sum using cryptocurrency.
“We received notice from the people that encrypted the files just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee,” explained Columbia Surgical Specialists. “We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data.”
CSS’s breach notification letter stated: “We’ve learned this type of attack unfolds slowly, in fits and starts, and thus the IT experts investigating the situation find bits of evidence that they piece together to learn what happened.” This letter provides some insight into why there was a delay in sending breach notices to patients; the organisation must assess the scale and extent of the attack, and determine which patients were potentially affected.
CSS reported the ransomware attack to the Department of Health and Human Services’ Office for Civil Rights on February 18, 2019. After investigating the breach, Columbia Surgical Specialists determined that the number of individuals who had potentially been affected by the breach was much lower than their initial reports suggested.