A small Missouri Clinic payed a ransom demand after a ransomware attack in August affected a file server and backups.
Namaste Health Care in Ashland, Missouri notified close to 1,600 patients about a ransomware incident that occurred in August 2017. As soon as the ransomware was discovered, Namaste took steps to try to protect the patient information by terminating the attackers remote access. However, Namaste ended up paying the ransom to restore access to affected data, as the ransomware also affected backups.
Namaste believes the attacker was able to view information contained in the file server, so the health care organization is treating the situation like a breach. Information contained in the file server included patient names, addresses, dates of birth, and Social Security Numbers. Namaste stated that there was no evidence the information was transferred or exported from Namaste’s system.
Additionally, Namaste partnered with AllClear ID to create a call center where patients can ask questions and gain information on what the next steps might be for them. Namaste is offering affected individuals 12 months of identity theft protection at no cost.
This is a great example of why backups are so important, and why those backups should be stored in a manner that keeps them separate from the regular network. Had Namaste been able to use their backups, the ransomware payment wouldn’t have been necessary.
Reminder: A Data Backup Plan is required for HIPAA compliance.
The Data Backup Plan requires that Covered Entities and Business Associates “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
Make sure your organization maintains a Data Backup Plan, and that you keep your data backed up according to that plan’s stipulations.
To learn more about what is required for HIPAA compliance and data backups, join HIPAAgps today.