Brooklyn Hospital Center notifies patients after data could be not be recovered after malware attack
Brooklyn Hospital Center has issued a press release about a data incident that may not have resulted in access or exfiltration of patient data (they couldn’t determine that) but did result in their inability to recover certain data related to specific patients.
From their notice:
In late July 2019, the Hospital became aware of unusual activity relating to certain Hospital servers. The Hospital immediately commenced an investigation, which included working with a leading third-party forensic investigation firm, to determine the full nature and scope of the incident. Through this investigation, we determined that a malware that encrypted certain systems had disrupted the operation of certain Hospital systems; however, the investigation found no evidence that data was actually accessed or acquired by an unauthorized person(s). However, on September 4, 2019, the investigation confirmed that due to the malware, and despite exhaustive efforts by the Hospital to recover the data, certain patient data was unrecoverable. While recovery efforts are ongoing, based on this determination, the Hospital is undertaking a diligent review of the patient data that may be potentially impacted by this event and taking steps to notify those individuals whose records may no longer be available. To date, the Hospital are unaware of any actual or attempted access to or misuse of medical or personal information.
The unrecoverable information may include patient name and certain cardiac or dental images. As stated, there is no evidence to date of actual or attempted access to, acquisition of, or misuse of any medical or personal information related to this incident.
The full notice can be found at tbh.org/notice-data-event
DataBreaches.net contacted the hospital earlier this morning to inquire as to whether there had been any ransom demand, and whether the hospital had any usable backups of the data being described as unrecoverable (and if not, why not). This post will be updated if answers are received.