Northwest Rheumatology of Tuscon, Arizona has announced that some of its computer systems were taken out of action following a ransomware infection on April 10, 2017.
Following any ransomware attack, HIPAA-covered entities must conduct an investigation to determine the extent of the attack and whether patient’s protected health information has been compromised. If a covered entity can determine with a high degree of certainty that protected health information has not been accessed, viewed or stolen – or in the case of ransomware ePHI was not encrypted – patients do not need to be notified and a report does not need to be sent to Office for Civil Rights.
When the attack was discovered, Northwest Rheumatology called on its computer security vendor to complete a full investigation into the attack to determine the extent to which data had been encrypted and if any PHI had been compromised.
Northwest Rheumatology was informed by its vendor that the ransomware attack was limited and no protected health information had been encrypted, accessed or copied. Consequently, patient notifications and an OCR breach report were not issued.
However, on June 18, 2017, the healthcare provider uncovered evidence to suggest its systems had been compromised. Northwest Rheumatology hired an independent computer forensics firm to conduct an investigation and the firm confirmed on July 6 that system access had been gained, and potentially, ePHI could have been accessed.
Northwest Rheumatology reports no evidence was uncovered to suggest unauthorized individuals gained access to ePHI or that ePHI was stolen, but the possibility could not be ruled out.
Patients whose protected health information was exposed have now been notified of the security incident by mail and have been offered credit monitoring and identity theft restoration services for 12 months without charge.
The incident has now been reported to Office for Civil Rights, although it has yet to appear on the OCR breach portal so it is currently unclear how many patients have been impacted.
This is one of three recent incidents involving ransomware that were initially thought to have only resulted in file encryption, only to be later discovered that system access was also gained. An investigation into a ransomware attack on Women’s Health Care Group of Pennsylvania revealed access to its systems had been gained four months previously. An investigation into a ransomware attack on Peachtree Neurological Clinic revealed its systems had been compromised for 15 months.