There are different metrics for describing the impact of a breach, but one of the ones I use in my subjective system is whether patient data that might be needed for care have been lost, stolen, or corrupted. In June, there were a lot of data breaches or security incidents and many involved ransomware. One incident, however, that pretty much flew under the media radar, actually resulted in loss of patient notes. In a June 13 notice to patients, Cove Family & Sports Medicine in Huntsville, Alabama wrote that unnamed ransomware encrypted patients’ medical records.
“The encrypted medical records contained patient information, including names, dates of birth, social security numbers, addresses, patient identification numbers, prescription information, diagnosis information, procedure information, and time and date of treatment,” the doctors write.
Cove Medicine did not pay the ransom. It elected to reinstall the operating system on its server and then it restored the majority of its patient records from backup copies. Their approach was only partially successful, though:
The backup records, however, were partially encrypted as well and the practice currently has not been able to restore its internal notes for visits that have occurred in approximately the past two years. Cove Medicine believes it will be able to restore all other treatment records, and that this will not impair its ability to provide care to its patients.
So the good news is that most of the data were recovered from backups, the doctors do not believe that care will be impacted, and there was no indication that any data were exfilitrated. But this was obviously not a total success, and it’s not clear whether the lost/unrecovered internal notes might impact care. The doctors write:
“We take patient privacy seriously, and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected,” said Dr. Jonathan Krichev, one of the physicians and partners of Cove Medicine.
With so much ransomware and so many attacks these days, what lessons can other entities learn from Cove Medicine’s experience? The doctors did not disclose how the ransomware got into their system, and there might be something to be learned from that. Nor do they explain how the backups wound up partially encrypted, too, and perhaps that’s something we can all learn from, too.
This is not to sound critical of Cove Medicine. They clearly did the best they could in an unfortunate situation that was not of their choosing and it no small measure of success that they recovered as much as they did. I’m just wondering what lessons can be learned that might save others the same misery.
At the present time, the incident is not up on HHS’s breach tool, and we do not know how many patients were notified of this incident.