Two Malware Attacks on Colorado Practice Impacted 16,000+ Patients

Longs Peak Family Practice (LPFP) in Longmont, Colorado was attacked by ransomware. The hacker gained access to the systems of this family and sports medicine practice and encrypted some parts of its network. LPFP identified the suspicious activity happening on its network on November 5, 2017. Steps were taken immediately to secure the LPFP systems. Encrypted files were recovered from backups to rebuild the systems.

While LPFP was ready for the ransomware attack, it was not ready for the second attack five days after the initial ransomware attack. The hacker did not use ransomware for the second incident. This time, LPFP asked the assistance of a leading computer forensics firm to investigate. Their experts scanned the network systems to check for malware and backdoors. They investigated the attack to see if there was unauthorized access.

According to the investigation which lasted until December 5, LPFP’s network was accessed on November 5, 9 and 10 by an unauthorized person. But there was no evidence that would prove the attacker viewed files or stole data. It is not 100% certain as well that data access and theft did not occur. It could be that the malware was utilized to download computer files.

The investigators reported the following patient information was compromised: names, email addresses, addresses, dates of birth, Social Security numbers, driver’s license details, internal patient ID numbers, insurance payment codes and costs, insurance carriers, dates of service, copies of notes made by LPFP physicians and other healthcare experts, diagnoses, medical conditions, lab test results, data from diagnostic studies and medications. It is possible that final statements for accounts sent to a collection agency were compromised. Rest assured, financial information, credit or debit card details and invoices for medical services were not exposed.

The attacks on LPFP revealed that there were still vulnerabilities in their defenses that attackers can exploit to access patient data. LPFP already took steps to fix the vulnerabilities. They installed a new, enhanced firewall. Healthcare employees were trained further regarding privacy and security. The search for tools and procedures is ongoing to improve security.

Because of the potential access of sensitive information, LPFP offered patients free one year identity theft repair and credit monitoring services provided by AllClear. LPFP submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that 16,238 patients were affected.

About Christine Garcia 1289 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at