Ransomware Attack on American Baptist Homes of the Midwest Potentially Exposed PHI

American Baptist Homes of the Midwest (ABHM), which provides assisted living and assisted care facilities throughout the U.S Midwest, announced a ransomware attack on its systems causing a security breach.

The attack was launched around March 10, 2019, which ABHM detected promptly after the initial encryption. The provider blocked the ransomware attack and kept the affected accounts secure. However, file encryption was not avoided resulting to the encryption of files containing several ABHM clients’ information.

No clinical or billing systems of ABHM was affected by the ransomware attack. Affected systems only included the email accounts and general filing system. It is likely that the attacker’s motive for the attack was to extort money from ABHM and not steal data. Nonetheless, the nature of attack can’t rule out unauthorized access of protected health information (PHI). Currently, the misuse or theft of PHI has not been proven by evidence.

The following information was found in the compromised servers and systems: names and addresses mixed with data elements such as: financial information, Social Security numbers, lab test results, prescribed medicines, diagnoses and other medical information.

The ransomware attack affected assisted living facilities in a number of areas which include: Wisconsin’s Tudor Oaks Senior Living, Muskego; South Dakota’s Trail Ridge Senior Living, Sioux Falls; Nebraska’s Maple Crest Health Center, Omaha; Minnesota’s Thorne Crest Senior Living, Albert Lea and Crest Services- Albert Lea; Iowa’s lm Crest Senior Living, Harlan and Crest Services – Cedar Rapids; Des Moines; Harlan; Ottumwa; and Chariton; Colorado’s Mountain Vista Senior Living, Wheat Ridge and Health Center at Franklin Park, Denver.

ABHM was assisted by a third-party forensics company in successfully removing the ransomware from its systems and restoring the backups of encrypted information.

To fortify security and prevent other cyberattacks, ABHM retained a cybersecurity consultant to perform a complete risk assessment to figure out potential risks and system flaws. Technical security options, including setting stronger password requirements, utilizing rate limiting to prevent system brute force attacks and 24/7 network security monitoring, were put in place to keep all ABHM data secure.

ABHM already sent mail notifications to all affected individuals and submitted an incident report to the HHS’ Office for Civil Rights (OCR) and law enforcement.

Because the incident is not yet posted on the OCR breach portal, the number of affected people is not yet certain.

About Christine Garcia 1289 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA