Vascular Surgical Associates in Georgia has been notifying patients of a hack discovered in September. From their site:
Vascular Surgical Associates Protected Health Information Breach
Vascular Surgical Associates was recently the victim of a hacking incident that may have resulted in inappropriate access to certain information about you. On or about September 13, 2016, we became aware of suspicious activity involving one of our computer servers. We initiated an investigation and learned that that one of our computer servers was accessed using a compromised vendor password around the time of a software application upgrade. As a result, computer hackers gained access to the server over a period of time from around March 25, 2016 until our internal IT staff discovered it on September 13, 2016. Our investigation has determined that these hackers probably reside in other countries.
Although our investigation was not able to definitively conclude whether the hackers actually accessed or obtained a particular individual’s information, it would have been possible for the hackers to access and obtain patient information about many of our current and former patients, including medical records and demographic information such as date of birth and address. No social security numbers or financial data was stored on the compromised server.
This incident did not involve or affect the security of our patient portal or our ability to continue to provide the high quality care you have come to expect from us. Upon learning of the incident and verifying the unauthorized access through forensic evaluation, we immediately secured the server so that this type of attack could not occur again. We are confident that none of our staff had any involvement in this incident, as the compromised password that was used to access the information was only available to our vendors and their staffs.
Letters have been sent to each of our patients potentially affected by this unfortunate event. The letters contain the steps that you can take to protect yourself from the potential misuse of this information. To the best of our knowledge, no social security numbers, no bank information, and no credit card data was on the server. We do however recommend that you monitor those accounts closely for the next year.
We have also reported the incident to the FBI and the U.S. Department of Health and Human Services Office for Civil Rights, each of whom will open an investigation. We feel very strongly that the people who took these wrongful actions against you and us should be brought to justice.
We deeply regret that this incident occurred. As part of our response to the incident, we have established a call center to personally address your concerns and answer your questions. Patients may contact the call center toll-free at (800)-550-6616 between 9:00 a.m. and 5:00 p.m. Eastern time, Monday through Friday.
Thank you for the opportunity to care for you and your family. We trust that our response to the bad actions of others demonstrates our unwavering commitment to providing you with the highest standard of care. Our patients matter to us.
In a companion FAQ, they provide some additional details:
Q. Whose fault is it?
A. In our regular and ongoing compliance with government regulations governing the confidentiality and integrity of electronic health information, we hired vendors with national reputations and significant client bases to support the computer system infrastructure we use to maintain our medical records. Their software has been certified by the United States Office of the National Coordinator for Health Information Technology.
A password that was created by one of these vendors and controlled by that vendor was used to access our system inappropriately. The perpetrators installed software on our system to prevent us from seeing the activity, but once that activity was identified by our internal IT staff, the system access was changed to prevent additional access using that password.
Based on our investigation and information we have obtained from law enforcement agencies, the access to our system was an illegal and intentional act of compromising our server conducted by some offshore perpetrators from a foreign location yet to be conclusively determined; however, we currently know that Internet addresses in Ghana, the People’s Republic of China, Russia, and other countries were used.
Q. Where is my confidential medical information now?
A. The information is in the same place with better “locks” (security controls and processes) and different “keys” (passwords). Our practice uses vendors with national reputations that service clients larger and smaller than our practice, and their software has been certified by the United States Office of the National Coordinator for Health Information Technology. They deal with such threats on a regular basis and we have confidence in them.
We don’t know if any of your medical information was exported from the system, but we don’t see any evidence of that happening. If our ongoing investigation reveals anything different, we will let you know.
Patients of VSA’s sister site, Vein Specialists of Northwest Georgia, were also impacted by this incident.
Neither entity is yet listed on HHS’s public breach tool, so we don’t have numbers for this incident yet, and this post will likely be updated at some point.
Because of the location (Atlanta) and the report of a vendor’s login credential being compromised in March, DataBreaches.net asked TheDarkOverlord if this was one of his hacks. He denied it. DataBreaches.net has sent an inquiry to VSA concerning the vendor, and hopes to obtain some additional information.
Update: HHS shows that VSA reported 36,496 patients were notified, but it’s not yetclear if that report is just for them or if it also includes Vein Specialists of Northwest Georgia.