Central Colorado Dermatology (CCD) recently provided a notice on their site to patients that a ransomware attack had affected CCD systems.

On June 5, 2018, CCD discovered a ransomware attack that affected certain files of faxed communications that were stored on CCD’s computer network.  Some of these files contained patient health information.  Consequently, CCD has mailed out notices to patients since August 3 and has provided the notice on their webpage for those who may not receive the mailed messages due to changes in addresses.

Remember, the OCR provided guidance in 2016 stating that ransomware should be considered a breach.

The discovery of the ransomware started with suspicious activity on the network.  Upon further investigation CCD determined that a hacker infiltrated the network and launched the ransomware attack.  CCD states that the “incident did not impact any patient medical charts or the clinic’s ability to provide care to patients.”  There was no evidence that patient files were opened by the hacker.  However, the type of ransomware the hacker used could have allowed the hacker to download files, CCD was required to treat the incident like a breach.  CCD did not find any evidence that the hacker was able to download files, though.

A cybersecurity firm was retained to investigate the incident further and to monitor the network for weeks after the incident.  The cybersecurity firm was able to verify that no further malicious activity occurred during those weeks.

CCD maintains that the patient information is important and stated that steps have been taken to further secure the network.   Some of these changes include how the network is accessed and password requirements were updated.  New anti-virus software has been implemented and CCD has been consulting with seasoned IT professionals to determine what mitigations they might employ.  Additionally, CCD has verified that received-faxes are not being saved as digital images on computers.  CCD is also reinforcing their security-awareness training.

Per the usual notification, CCD is asking patients to view their medical documents carefully and to notify them if any suspicious activity is noticed.  Patients were cautioned to call their credit card companies and have new cards issued with a different account number.

CCD will provide affected patients with one year of online credit monitoring.  Patients were provided with a unique discount code in their mailed notification letters, that they could use to enroll in the service no later than November 29, 2018.  CCD also created a call center where patients can call to get information about the incident and how they, personally, can best protect their information.

The notice then provided information on identity theft that may be helpful for patients.

Ransomware is not going away.  To learn about some of the things you can do to reduce your risk, join HIPAAgps today.