Date: August 2, 2017
The Women’s Health Care Group of Pennsylvania has notified 300,000 of its patients that a ransomware attack has put their personal health information at risk. The breach was discovered in May, however, hackers had unauthorized access to the system as early as January.
Data breach on Women’s Health Care Group system discovered during ransomware investigation
The Women’s Health Care Group has discovered a server and workstation to be infected by ransomware on May 16. The officials said that the infected server and workstation were removed from the network. After removal of server and workstation, the officials also launched an investigation by a computer forensics team.
What investigation revealed?
The investigation has revealed that the cyber-criminals began hacking their system as early as January 2017. The system was hacked by leveraging security vulnerability. Further, the officials said the security flaw allowed limited access to patient information before it encrypted certain files.
What all kind of data exposed?
The types of data exposed – and potentially stolen – including addresses, names, dates of birth, lab test orders, lab test results, race, blood types, gender, pregnancy status, medical record numbers, employer information, medical diagnoses, insurance details, physicians’ names and Social Security numbers. Further, the officials said the encrypted files were restored from backups and didn’t disrupt patient care.
Filed a report with FBI
The health system has also filed a report with the FBI.
The officials said in a statement, ‘Maintaining the integrity and confidentiality of our patients’ personal information are very important to us.’ Further, they said, ‘We’re conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future.’
While a ransom demand had been issued by the attackers, but no money was paid by Women’s Health Care Group as all data could be recovered from a backup. Further, the officials said no protected health information was lost.
Training solutions include the gold standard HIPAA credential, Certified HIPAA Professional (CHP) and our world’s first compliance and cyber security credential, Certified Security Compliance Specialist (CSCS).
ecfirst is a HITRUST Authorized CSF Assessor.
Many clients engage ecfirst extensively for the flexible services that range from on-demand consulting to its managed compliance services programs that covers training, policies, remediation, risk assessment, technical vulnerability assessments penetration testing and much more.