Arkansas Oral & Facial Surgery Center disclosed a ransomware incident that may or may not have resulted in access to protected health information. As they explain in their notice to patients of September 24, 2017:
On July 26, 2017, Arkansas Oral & Facial Surgery Center discovered that its computer network had been impacted by ransomware, a type of computer virus that locks up, or encrypts, information and demands that a payment be made in order to unlock, or decrypt, the information. We promptly began an investigation which revealed that the ransomware had been installed on our systems by a unauthorized individual at some point earlier that morning or the evening before. As you may be aware, healthcare organizations and other types of companies across the country have been affected by similar types of ransomware cyber attacks and we believe that the motivation behind this incident was extortion, and not the theft of patient information. We have notified the FBI of this incident.
Except for a relatively limited set of patients, our patient information database was not affected by the ransomware, however, imaging files, such as x-rays, and other documents such as attachments were impacted. While our investigation into the matter continues, it does not appear that patient information was stolen from our system. However, the ransomware has rendered the imaging files and documents inaccessible. Based on our present investigation, it also appears that the ransomware rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident. Because we are unable to determine with reasonable certainty whether or not the perpetrator(s) placing the ransomware on our systems accessed patient information, and due to the impact on the availability of images and other files, we are providing you with notification of this incident.
From our investigation to date, we believe information contained in the affected files included attachments and radiographs that might include demographic information such as patient names, addresses, dates of birth, and Social Security numbers and clinical information such as diagnosis, treatment plans or conditions and other information such as health insurance information.
We take the protection of our patients’ information seriously. Following the incident, we have implemented a new record system. As an added precaution, we are also arranging for AllClear ID Identity Repair and Credit Monitoring protection for 12 months at no cost to our patients. If you are a patient of Arkansas Oral & Facial Surgery Center and believe that your records may have been affected by this incident, please call 1-855-609-5948 to see if you are eligible. We plan to have this telephone line open on Tuesday, September 26.
Additionally, and as a general matter, you should remain vigilant by regularly reviewing financial account, medical bills and health insurance statements. The Federal Trade Commission (FTC) recommends that you check your credit reports periodically to help spot problems. You can obtain a free credit report annually from each of the three major credit bureaus by calling 1-877-322-8228 or by visiting www.AnnualCreditReport.com. You should promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities, including local law enforcement, your state’s attorney general and/or the FTC. For more information about identity theft and other forms of financial fraud, as well as information about fraud alerts and security freezes, you can contact the FTC online at www.ftc.gov/idtheft, by mail at Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, or by calling 1-877-ID-THEFT (438-4338).
You can also contact or visit the website of the major credit bureaus about placing a fraud alert or security freeze on your credit report or for information on other steps you can take to protect yourself from fraud and identity theft. You may choose to adopt an increased level of protection by placing a fraud alert on your credit file at the three credit reporting agencies. A fraud alert is a consumer statement added to your credit report. This statement alerts creditors of possible fraudulent activity within your report as well as requests that they contact you prior to establishing any accounts in your name. Once the fraud alert is added to your credit report, all creditors should contact you prior to establishing any account in your name. An initial fraud alert lasts 90 days. You may also place a security freeze, or credit freeze, on your credit file which is designed to prevent credit, loans, and services from being provided in your name without consent. However, setting a security freeze may delay your ability to obtain credit. In addition, you may incur fees to place, lift and/or remove a credit freeze. Credit freeze laws vary from state to state. Contact information for the three major bureaus is provided below:
Equifax: P.O. Box 105788, Atlanta, GA 30378, 1-800-685-1111, www.equifax.com
Experian: P.O. Box 9554, Allen, TX 75013, 1-888-397-3742, www.experian.com
TransUnion: P.O. Box 1000, Chester, PA 19022, 1-800-888-4213, www.transunion.com
Again, we believe the intent of this cyber attack was extortion and there is no evidence from our current investigation that your information was stolen from our system as a result of this incident. We encourage you, however, to exercise caution regarding communications if you receive an unsolicited call or email about this incident. Please know that we will not call or email anyone requesting any personal information as a result of this situation.
We take protecting our patients’ information seriously, and we regret any inconvenience or concern this unfortunate incident has caused you. We have set up a dedicated number for you to call with any questions or for more information. Should you have any questions, please do not hesitate to call 1-855-609-5948, Monday through Saturday, 8:00 a.m. to 8:00 p.m. Central Time. As stated above, we plan to have this telephone line open Tuesday, September 26.
Arkansas Oral & Facial Surgery Center
So why did they have 128,000 patients’ data on that server? Are those really all current patients? Why did those data have to be connected to the internet?