Date: August 2, 2017
The Plastic Surgery Associates of South Dakota has notified 10,200 patients that some of their protected health information (PHI) was at risk due to a ransomware attack in February this year.
The Plastic Surgery Associates of South Dakota found that some of their systems were infected with the ransomware earlier on February 12, 2017.
Rapid action was taken to remove the ransomware. They decrypted the affected systems and involved third – party forensics experts to investigate.They tried to determine if any data was exposed and the extent to which the patient’s data were impacted.
During the investigation, it came to notice that despite the attack, the majority of its patients did not have any of their data accessed or even encrypted.
But while restoring the data, critical files were lost which resulted in the loss of certain evidence.
Therefore, on April 24, the association took the decision that without proper evidence, the possibility of PHI access for 10,200 patients cannot be ruled out completely.
Thus, all of those 10,200 patients were informed about the possible data breach.
The compromised data included Social Security numbers, driver’s license numbers, state ID numbers, credit and debit card information, lab test results, medical diagnoses, birth dates, health insurance information and details of medical conditions.
Up till now Plastic Surgery Associates of South Dakota has not received any reports of misuse or attempted misuse of patients’ data.
Out of an abundance of caution, affected individuals have been offered membership of Equifax Credit Watch Silver credit monitoring and identity theft protection services for 12 months at no cost.
The Plastic Surgery Associates of South Dakota said,
“The confidentiality, privacy, and security of our patient information is one of our highest priorities. We have stringent security measures in place to protect the security of information in our possession. In addition, as part of our ongoing commitment to the security of protected health information in our care, we are working to implement additional safeguards and security measures to enhance the privacy and security of information on our systems. We are also reporting this incident to the U.S. Department of Health and Human Services (HHS).”
Training solutions include the gold standard HIPAA credential, Certified HIPAA Professional (CHP) and our world’s first compliance and cyber security credential, Certified Security Compliance Specialist (CSCS).
ecfirst is a HITRUST Authorized CSF Assessor.
Many clients engage ecfirst extensively for the flexible services that range from on-demand consulting to its managed compliance services programs that covers training, policies, remediation, risk assessment, technical vulnerability assessments penetration testing and much more.