Southern Hills Eye Care in Sioux City, Iowa, has announced that a recent ransomware attack on their facility may have compromised patient PHI.
Ransomware is a variant of malware that prevents which hackers use to extort victims. The malware prevents the victim from accessing their computer, or files on their computer until a ransom is paid. Hackers often use phishing attacks to deliver malware to the victim’s device. The hacker sends an email that appears to be from a trusted contact or organisation to the victim. The phisher includes an attachment in the email, which harbours the ransomware. When the victim opens the attachment, the computer becomes infected, and the victim is locked out of their files or device.
Ransomware attacks on healthcare organisations have become increasingly common in recent years. As only one employee needs to be fooled by the phishing attack for the ransomware to be successfully installed, these types of attacks pose a significant threat to sensitive patient data.
The ransomware attack on Southern Hills Eye Care occurred on January 15, 2019. The facility immediately launched an investigation to determine the extent of the breach. The investigators concluded that an unauthorised third-party had gained access to the server and may be able to view files containing patients’ protected health information. The types of information in the files included names, addresses, dates of birth, phone numbers, health information, health insurance information, and the Social Security numbers of Medicare patients.
Although the investigators concluded that the unauthorised party might have accessed information, they were unable to ascertain if they had done so. Furthermore, they did not uncover any evidence that patient information had been misused as a result of the data security incident.
Southern Hills Eye Care’s website states “we take the privacy and security of patient information very seriously and have taken steps to prevent a similar event from occurring in the future”.
The breach has yet to appear on the OCR breach portal, so it is currently unclear how many patients have been affected.
Following the Health Insurance Accountability and Portability Act’s Breach Notification Rule, notifications letters were sent to affected patients on March 15, 2019. Southern Hills Eye Care provided a toll-free number for patients to call to obtain more information about the incident.