Florida Heart Associates based in Fort Myers, FL encountered a ransomware attack on May 19, 2021 and has brought about significant and ongoing interruption to its services. Medical practice is just running at about 50% capacity for two months since the attack. Interruption is likely to proceed for various more weeks, as it’s not possible for the practice to completely recover until the end of August or the beginning of September.
Before using ransomware, the threat actors exfiltrated files that contain the protected health information (PHI) of 45,148 patients, such as Social Security numbers, member ID numbers, dates of birth, and medical insurance data. The attackers issued a ransom demand to make sure the stolen data is deleted and to get the keys for decrypting files. However, the practice decided not to pay the threat actors. The ransomware group was thrown out of the network, however not prior to making much of the IT infrastructure inaccessible.
The investigation showed the first breach of its systems happened on May 9, 2021. The attackers deployed ransomware on May 19 and then practice staff could not access the files. Because of the attack, its IT systems and telephone lines became unavailable. Telephone lines were only recently added back online.
CEO of Florida Heart Associates Todd Rauchenberger stated the practice is continuing to provide patient care and is currently accepting walk-in consultations. Besides being forced to work with no telephones and minimal IT systems access, the practice lost a lot of employees. With lesser staff members, patients are sensing the impact of the attack. Fox4 News mentioned that patients were unable to contact the practice by phone to book appointments, and many patients are having difficulties getting an appointment with a doctor.
Florida Heart Associates has actually informed patients regarding the breach and the compromise of their personal and medical data. The practice said it is going to implement more measures to enhance security moving forward, such as technical safety measures and audit and update of guidelines and procedures with regard to data privacy and protection.