Wager Evans Dental in Reno, NV had to deal with a ransomware attack that kept them from accessing dental records and images for five days. The ransomware attack happened on October 30, 2017. A report of the incident stated that the malicious software was installed on one computer and one server of the dental practice.
Installation of ransomware is possible in several ways. The most common way is via email, which is the case in this attack. It is believed that ransomware was downloaded to the system when an employee accessed his email and clicked on a malicious URL or email attachment.
IT experts took five days to restore the encrypted files and remove the ransomware. So, there was no access to patient records and images until November 4, 2017. The encrypted files included the names, birth dates, addresses, diagnoses, images, treatment plans, health insurance details and Social Security numbers.
An investigation of the ransomware attack revealed the possibility of data access and viewing by the attackers. Although it appeared that the attackers only intended to extort money from the dental practice. The investigation is not yet closed. Until now, no indications will ascertain whether the attackers accessed or stole PHI. Because of this uncertainty, HIPAA requires the notification of all patients. In addition, the dental practice offered one year free credit monitoring services to all patients.
Wager Evans Dental submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights. Included in the report is the information that about 3,898 patients’ PHI have been potentially exposed. In response to the attack, the practice upgraded its network and computer security to avoid similar attacks in the future.