Around 400,000 Patients impacted by ransomware attack on Columbia Surgical Specialists in Spokane

Columbia Surgical Specialists in Spokane city of Washington impacted by a ransomware attack, which has possibly allowed unauthorized individuals access to Protected Health Information (PHI) of around 400,000 patients. The Columbia Surgical Specialists came to know about this ransomware attack on Jan. 9, 2019. This security breach was then investigated immediately, and assistance has been provided by Intrinium, the IT security provider.

Files that were encrypted by ransomware contain patient information, including names, Social security numbers, driver's license numbers and various other types of PHI.

HIPAA Journal has been told by the Columbia Surgical Specialists that data security firm "went through our systems with a fine-tooth comb". The data security firm concluded that the patient data was not stolen by attackers, "but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee". However, Columbia Surgical Specialists thinks that risk to the patients has been very low, and the notification sent to the patients is just a precautionary step.

The vulnerability that has been exploited in order to have access to Columbia Surgical Specialists network server for installing the ransomware was addressed. Moreover, the internal protocols along with procedures are getting reviewed by Columbia Surgical Specialists to prevent the future attacks.

Columbia Surgical Specialists were very open about this breach. They confirmed that for recovering the patient files, decision has been taken to pay ransom demand. Around $14,650 was paid in the cryptocurrency for decrypting the file that was encrypted by this ransowmare.

"We received notice from the people that encrypted the files just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee," stated the Columbia Surgical Specialists. "We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data".

The breach notification that has been sent to the patients provides certain insight about the nature of the breach investigations and the reason behind taking so long for issuing notifications to the patients.

The security breach has been reported to Department of Health and Human Services' Office for Civil Rights on Feb. 18, 2019.

» SPAMfighter News - 3/22/2019