Ransomware Attack on Central Colorado Dermatology Caused Unauthorized PHI Access

Central Colorado Dermatology (CCD) advised around 4,000 patients that hackers possibly viewed some of their protected health information (PHI) due to a ransomware attack on its information system.

An unauthorized person obtained access to CCD’s information network and installed ransomware on a web server. Healthcare documents and patients’ healthcare records were not viewed, but some documents and scanned fax messages were encrypted. Certain records included PHI.

An investigation was initiated to find out whether or not PHI was viewed or thieved however it cannot be confirmed with a high level of confidence that any PHI was accessed or stolen. CCD didn’t learn about any information that imply PHI was viewed or stolen, however some of the application that was added on its system may possibly have granted the records to be downloaded.

The material that may have been viewed comprise of these data: Names, addresses, email addresses telephone numbers, birth dates, Insurance details, Social Security numbers, insurance payment codes and charges, dates of service, clinical details, health conditions, diagnoses, treatment data, laboratory test results, diagnostic reports, duplicates of CCD reports and remarks, and data brought to CCD from other medical providers by facsimile.

The investigation confirmed that one server was remotely accessed on June 5, 2018. The ransomware was installed on that day.

Upon knowing about the attack, CCD took action to safeguard the computer network and stop remote access. A cybersecurity agency was called in to look into the attack. After tne networks were properly secured and the ransomware was eradicated, the cybersecurity agency continued to keep tabs on the network for a few weeks to be sure that no other initiatives were done to get through the system. At this point, no extra attacks were tracked down and no suspicious system activity was found out.

As a reaction to the attack, CCD altered its password specifications and the way its system could be accessed, the latest anti-virus software program was put in, and more enhancements to network security was implemented. That procedure is continuous advised by IT security professionals. Alterations were made to its facsimile application to be sure that digital replicates of faxes aren’t immediately kept on its system.

Considering the unauthorized access to sensitive information and stealing of data can’t be eliminated, breach notification letters were delivered to all 4,065 patients whose PHI may likely have been compromised. All patients impacted by the data breach were given twelve months of credit monitoring services.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA