Apr 222019

From a press release by pediatric orthopedic surgeon Ronald Snyder, M.D.:

April 18, 2019 /PRNewswire/ — On April 18, 2019 Ronald Snyder, M.D., (“Dr. Snyder”), announced a recent event that may have impacted the privacy of personal information relating to certain individuals. While Dr. Snyder is unaware of any attempted or actual misuse of personal information in relation to the event, his office is providing potentially affected individuals with notice of the event, information about the event, his office’s response to it, and steps individuals may take to better protect against the possibility of identity theft and fraud, should they feel it is necessary to do so.

What Happened? On January 9, 2019, Dr. Snyder’s staff became aware that electronic information stored on his office’s computer server had been encrypted as the result of a “ransomware” cyber-attack by an unknown actor.  Because the server that was encrypted stored patient billing information, Dr. Snyder’s immediate goals were to (1) ensure his office could still access patient information that had been encrypted so that his office could continue to care for patients without disruption; and (2) investigate what happened and confirm as quickly as possible if this incident resulted in any unauthorized access to, or theft of, patient information by the unknown actor. Because the office regularly creates backup copies of patient information, Dr. Snyder was able to quickly gain access to almost all patient information that had been encrypted and easily restored information that was not accessible.  He also immediately began working with outside cybersecurity and computer forensics experts to determine whether any patient information was subject to unauthorized access.

Since Dr. Snyder learned about this issue on January 9, 2019, he has taken every necessary step to investigate this incident and the impact it may have on patient information, which included working with multiple industry-leading experts to recover the important information that was encrypted on the computer server. Unfortunately, after many efforts and attempts, Dr. Snyder learned on April 2, 2019 that he would be unable to determine whether this incident resulted in unauthorized access to patient information, due to the damage done to the computer server and the information stored on it.

Although Dr. Snyder has no indication that any patient information was specifically targeted, viewed, or stolen by an unauthorized actor in relation to this incident, he is notifying potentially affected individuals about this incident in an abundance of caution due to the uncertain nature of the incident.

What Information Was Involved? Dr. Snyder determined the server that was encrypted stored medical billing information, which may include: name, address, date of birth, gender, co-pay amount, patient status, employment status, telephone number, email address, and certain patients’ insurance identification number, which may be a Social Security number. There is no indication that any such information was specifically targeted, viewed, or stolen by an unauthorized actor in relation to this incident.  However, a complete investigation to make that determination was not possible.

What Dr. Snyder is Doing. Dr. Snyder takes this incident and the security of patient information in his practice’s care very seriously.  As part of his practice’s ongoing commitment to the privacy and security of patient information, he is working to review existing policies and procedures and to implement additional safeguards to further secure the information in his systems. He is also notifying the Department of Health and Human Services, other government regulators, as required, and prominent news media outlets in the state of New Jersey. Dr. Snyder also notified law enforcement of this incident.

In addition, while he is not aware or any actual or attempted misuse of personal information in relation to this incident, he is offering potentially affected individuals access to 1 year of complimentary identity restoration services through TransUnion.

What Potentially Affected Individuals Can Do. Potentially affected individuals can find out more about how to protect against potential identity theft and fraud in the enclosed Steps You Can Take to Prevent Fraud and Identity Theft.  Potentially affected individuals can also enroll to receive the free identity restoration services being offered.

For More Information. If you are a potentially affected individual and have questions about this incident, please call our dedicated assistance line at 855-222-3630, Monday through Friday (except holidays), during the hours of 9:00 a.m. to 9:00 p.m., Eastern Time.

Read the full release on Dr. Snyder’s web site, here.

Apr 192019

Laura Hautala reports:

It’s some of the most sensitive medical information a person could have. Records for potentially thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday [link corrected by DataBreaches.net].

The records included patients’ names, as well as details of the treatment they received, Justin Paine, the researcher, says. Each patient had multiple records in the database, and Paine estimates there could be about 145,000 patients total in the database.

Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.

Read more on CNET.

Apr 182019

Keith Edwards reports:

A malicious computer virus that hit the city overnight and froze the city’s computer network forced the closure of Augusta City Center Thursday.

The virus, which officials said was intentionally inflicted upon the city’s servers, also shut down computers used by public safety dispatchers — but not the city’s phone system or the public safety radio system relied upon for dispatchers, police, fire and ambulance staff in the field to communicate.

Dispatchers, who don’t have access to their usual computer-aided dispatching system, are tracking calls and the activity and whereabouts of police officers, firefighters and ambulance crews manually.

Read more on Sun Journal.

Thanks to the reader who sent in this link!

Apr 182019

Callie Ferguson reports:

A communications official at Northern Light Acadia Hospital in Bangor mistakenly emailed the confidential names of 300 patients with prescriptions for Suboxone, a medication used to treat opioid use disorder, to an editor at the Bangor Daily News last week.

In addition to their names, the list also contained the identities of the patients’ medical providers, all of which is protected under federal privacy laws that prohibit health care organizations from disclosing personal patient information to the public without permission. Disclosing that a person takes Suboxone effectively outs him or her for seeking treatment for opioid addiction.

Read more on Bangor Daily News.

Apr 182019

An article by William Maruca of FoxRothschild is headlined, “Ransomware Claims A Victim.” It discusses the case of  Brookside ENT, whose doctors decided to shutter their practice and retire a year early after a ransomware attack that encrypted their patient data, billing information, scheduling information, and even their backups. In other words, the attacker successfully crippled the practice and any chance it stood of restoring from the backups it had. Under the circumstances, I’m a bit surprised that the attacker only demanded $6,500.00.

In any event after reading more about the incident and mulling it over for the past two weeks, I’m going to politely disagree with the assessment that ransomware claimed a victim, because although ransomware was involved, the doctors., Dr. William Scalf and Dr. John Bizon, made a decision to sacrifice any chance of recovering files their patients needed for what? To save maybe $6500? Maruca writes:

Facing the expense and uncertainty of recovering from this attack, the two physicians, Dr. William Scalf, 64, and Dr. John Bizon, 66 (who also serves as a Republican Michigan state senator), decided to close their practice and accelerate their planned retirement by a year.  Unfortunately, with all their records wiped clean, they did not even have a list of patients and their contact information to allow them to communicate the closure of the practice.  Instead, Dr. Scalf said, “… what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”  Patients were given referrals to other otolaryngologists in the area, but their records, including test results, remained unavailable.

In explaining their decision not to pay the ransom, Maruca’s article cites a statistic from a cybersecurity firm that only 1/3 of victims who pay ransom get the decryption key. That percentage is significantly less than what the BakerHostetler law firm reports.  They report that in their experience handling hundreds of cases last year, the decryption key was provided in 94% of cases when  ransom was paid.  And these were not all small ransoms. The firm notes that already in 2019, they have had a few clients make ransom payments of more than $1 million — although they inform me that none of these are healthcare entities.

As other reports note, the likelihood of being able to recover data, even with a decryption key, is in no small part a function of what type of ransomware was involved. In the Brookside case, we haven’t been told that piece of information, but the doctors do not mention that as one of the factors that led to their decision not to pay the ransom.

Suppose the doctors had paid the decryption ransom of $6500.00 and gotten access to their data. They could have still decided to close the practice and retire early rather than rebuild their entire infrastructure and network, but at least they would have been able to contact patients and offer patients the ability to obtain copies of their medical records.

And if the doctors paid the ransom and got stiffed, then at least they could say they tried their best.

Over the past few years, I’ve often stated publicly that even though none of us want to reward criminals or encourage more ransom demands, I would never condemn a healthcare entity who decided to pay ransom because patient care or patient safety was being compromised.  I never anticipated that the day might come when I might actually criticize a healthcare entity for not paying a ransom demand, but this situation comes close.

So did the doctors make a decision in their own best interest that was also in the patients’ best interests at this point, or did they just do what was easiest for them, even though other options might have been better for the patients?

Yes, we can talk about how this all might have been prevented in a perfect world where the doctors had a copy of their updated patient roster with contact info printed out daily or where they had a different backup system that could not be corrupted by the ransomware, but that ship already sailed.  Let’s just look at the decisions that had to be made at that point. Did the doctors do the right thing? What do YOU think?  Either way, I want to be clear that I still do feel badly for the doctors, but right now, I’m just focused on the patients and whether this decision was appropriate given that it left patients definitely without access to their medical records.