An oncology practice in Delaware was hit by ransomware in June, 2017.

Medical Oncology Hematology Consultants, P.A., identified as the “Practice,” recently reported it was affected by ransomware, affecting more than 19,000 patients.  Based on the notice to patients the attack wasn’t discovered until July 7.

An investigation was conducted, which included utilizing third party experts to aid in recovering the affected data. After the investigation, the Practice implemented certain safeguards to help protect against ransomware attacks in the future.  Network passwords were changed, servers were restored from a time period before the attack, and document retention policies were reviewed and updated.  A two factor authentication system was implemented in the organization and access privileges were reviewed.

The Practice also conducted a specific social engineering test using an email phishing campaign to determine which employees might click on malicious links in the future.  Supplemental security training was provided to employees.

The Practice notified all affected individuals of the incident and believes that the information was not compromised.  Information that was held ransom included patient names, dates of birth, contact information, and health and treatment information.  It appears that Social Security Numbers were not included in the ransomed information.

Additionally, the Practice is using ID Experts to provide 12 months of credit monitoring for those affected at no extra cost.  The Practice provided more information on how to prevent fraud in the notice, such as optional credit freezes, reviewing annual credit reports, and reviewing credit card statements and other bills for fraudulent items.

This is another perfect example of why security training and anti-virus software is important for all organizations, regardless of size.  Social engineering can help you determine who needs more security awareness training.  The safeguards that Medical Oncology Hematology Consultants, P.A. implemented after the incident, are safeguards that should already be in place where possible.


Join HIPAAgps today to learn more about what safeguards are necessary for HIPAA compliance.