KS: When your incident response creates a second problem….

On August 16, Salina Family Healthcare posted a substitute notice about a ransomware incident:

Salina, Kansas – August 16, 2017 – Salina Family Healthcare Center (“SFHC”) has become aware of a data security incident that may have resulted in the disclosure of personal and protected health information of our patients and payment guarantors. Although at this time there is no evidence of any attempted or actual misuse of anyone’s information as a result of this incident, we have taken steps to notify our patients and payment guarantors and provide resources to assist them.

On June 18, 2017, we were the target of a ransomware attack that encrypted some of our computer workstations and network servers. We immediately initiated a comprehensive response to secure our systems and investigate the incident. In order to avoid interruption in continuing to see patients, we immediately restored our computers and servers from a recent backup. We also engaged independent computer forensics experts to determine how the incident occurred and if information had been accessed by an unauthorized third party.

Although the investigation did not identify any evidence of access to individual information, we could not rule out the possibility that individual personal information, including names, addresses, Social Security numbers, dates of birth, health insurance information, and medical treatment information is at risk. No financial transaction or payment information was involved in this incident. To date, we are not aware of the misuse of anyone’s information as a result of this incident.

We take the security of all information in our systems very seriously, and want to assure you that we have taken steps to prevent a similar event from occurring in the future. This includes scanning our network for viruses, upgrading servers to improve network security, limiting Internet access to minimize risk of exposure, providing additional network security training to IT staff, and additional training on malware threats to all employees.

We mailed a letter to individuals potentially impacted by this event which includes steps they can take to monitor and protect their personal information. We have established a toll-free call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 8:00 a.m. to 8:00 p.m., Central Time and can be reached at 1-855-742-6212. In addition, out of an abundance of caution, we are offering credit monitoring and identity theft resolution services through AllClear ID to potentially impacted individuals at no cost.

We sincerely regret any concern or inconvenience that this matter may cause you, and remain dedicated to protecting your information.

[…]

The number of patients being notified was not revealed and the incident has yet to appear on HHS’s public breach tool.

But Salina seems to have encountered a problem with their notifications/incident response, because I found an update to their breach notification that says:

Update – August 21, 2017 – If you received a letter that was incorrectly addressed from Salina Family Healthcare Center regarding our data security incident, please mark it “Return to Sender” and return it to your mailperson or post office. We will review any returned letters and ensure that they are revised and delivered to the correct address.

About the author: Dissent