The Jones Eye Clinic and its affiliated surgery, CJ Elmwood Partners, based in Sioux City, Iowa, has announced that up to 40,000 patients may have had their data compromised following a ransomware attack on their systems.
The ransomeware attack was discovered on August 23, 2018. Ransomware is software which denies the user access to their device, or certain files on the device, until a ransom has been paid to the scammer. The organisation immediately took action to secure their servers, and third-party computer forensics investigators were brought in to assist with the aftermath of the attack.
The ransomware attack affected data stored in a system used for scheduling appointments and billing patients. Although the attack was only discovered on August 23, the computer forensics team determined that the malware was installed on the system on August 22. Electronic medical records are housed on a separate system to that targeted by the hacker, and therefore were not under threat from the attack.
The hacker initially demanded a ransom from the organisation in exchange for the keys to decrypt the files. As the organisation was able to recover their files from backup servers and restore their operations without dealign with the hacker, no ransom was paid. A full data restoration was completed on August 23.
An investigation was launched into the ransomware attack to determine the extent of the damage and whether or not any patients had their data stolen during the attack. Investigators did not uncover any evidence to suggest that the attacker viewed or obtained patient data. There have been no reports that any patient information has been used for malicious purposes. However, those affected by the breach still may be at risk of becoming victims of identity fraud.
The information potentially accessed was limited to full names, dates of birth, addresses, medical record numbers, dates of service, and general descriptions of surgical procedures and clinic visits. Some patients may also have had their insurance status, Social Security number, and claims information exposed. Jones Eye Clinic and their third-party collaborators do not believe financial information was accessed or exposed.
The breach potentially affects all patients of the eye clinic and surgery center who registered or received medical services between January 1, 2003 and August 23, 2018.
All affected patients have been offered free credit monitoring services for 12 months. In accordance with HIPAA’s Breach Notification Rule, patients have been notified of the data breach by mail and have up to January 19, 2019 to enrol for credit monitoring services.
Ransomware has become a bigger and bigger threat in recent years. According to Verizon, the communications company, it was the most-used type of malicious software in 2018, accounting for 39% of malware phishing attacks. This is double the proportion of malware attacks which were made with ransomware in 2017. In the case of Jones Eye Clinic, it has not been determined how the ransomware was installed on the system. However, it is likely that it arrived via a scam email which an employee opened and inadvertently downloaded a dangerous attachment. Educating employees on how to spot suspicious scam emails is a good first line of defence against attacks of this nature.