The Center for Orthopaedic Specialists (COS) in California has three locations in West Hills, Simi Valley and Westlake Village. COS has been notifying 85,000 current and former patients of a ransomware attack on their unnamed IT vendor in February. From their April 18 notice on their web site:

The Center for Orthopaedic Specialists (COS) recently learned that our computer system was compromised by a security event that affected our three facilities in West Hills, Simi Valley and Westlake Village, Calif. Malicious software was used to gain access to and encrypt patient data in our system in the hopes of getting COS to pay money to restore access to the patient data. To the best of our knowledge, no patient information was removed by any unauthorized party as a result of this event. However, out of an abundance of caution, we are notifying all patients whose information was stored on the compromised system. A notification letter was sent to all current and former patients of COS (or to their legal guardians or representatives as appropriate).

What Happened

A third-party technology vendor provides COS with information technology (IT) services. We recently received notice from the IT vendor that an unauthorized party had illegally accessed COS’s computer network. Working with the IT vendor, we immediately launched an investigation into the matter. The investigation determined that the unauthorized party began attempting to access our system beginning Feb. 18, 2018. The IT vendor indicated that the affected system was permanently taken offline before any patient information could be removed by the unauthorized party.

What Information May Have Been Involved

The patient data that was encrypted by the unauthorized party could have included a patient’s name, date of birth, details about their medical records, and Social Security number. To the best of our knowledge, no patient information was downloaded or removed by the unauthorized party.

What We Are Doing To Support Our Patients

We have notified federal law enforcement officials, who may choose to conduct a criminal investigation into the matter. We continue to work with our third-party technology vendor to address the issue, and as noted above, the affected system was taken offline permanently.

As an added precaution, we have arranged to have ID Experts provide identity protection services for 24 months at no cost to our patients. This service is optional but we strongly encourage our current and former patients to take advantage of the benefits it provides. Eligible patients may enroll at idexpertscorp.com/protect or by calling (888) 312-0811 and providing the membership enrollment code provided in the letter mailed to their home. If you have not received a notification by mail but feel you should have, please contact ID Experts for assistance. Representatives can be reached at (888) 312-0811, Monday through Friday, 6 a.m. to 5 p.m., Pacific Time.

For any patient concerned about identity theft, COS recommends regularly reviewing statements from your accounts and health care providers, and periodically obtaining your credit report from one or more of the national credit reporting companies. You may obtain a copy of your credit report once every 12 months free of charge by either visiting annualcreditreport.com, calling toll free to (877) 322-8228, or by completing a request form found at ftc.gov/bcp/menus/consumer/credit/rights.shtm and mailing it to: Annual Credit

Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. For questions about identity theft, credit monitoring and how to keep information secure, visit
consumer.ftc.gov/topics/identity-theft.

See also the page about this incident by IDExperts.  Providence Health & Services also submitted the following notification to California:

COS did not reveal the type of ransomware involved or the amount of the ransom demand or anything about the identity of the attacker(s). Nor did they immediately respond to an emailed inquiry from DataBreaches.net asking about the ransomware and ransom demand.  The incident is not listed on HHS’s public breach tool as of the time of this posting.