Here’s another incident where patients are not being offered any mitigation services — in this case, presumably because the entity and its external IT vendor could not find any evidence that ransomware threat actors had ever accessed, copied, or exfiltrated any data.
Employment Specialists of Maine is a service provider for adults with mental health issues and other disabilities. On November 2, they detected a ransomware attack and thwarted it. In their notification, they state that they believe that the ransomware was only in their system for 2 hours before they detected it and stopped the attack.
ESM did not pay the ransom demanded and were able to restore from backup.
Because they could not prove that there had been no access or copying or exfiltration, they notified 3,000 patients of the incident, as required by HHS’s interpretation of HIPAA requirements.
You can read their notification below. It does not mention what type of ransomware was involved or what the ransom demand was.ESM, Template Breach Notification Letter (12-8-20)