Eight months after ransomware attack, Advanced Urgent Care of Florida Keys notifies patients
On March 14, DataBreaches.net reported that Advanced Urgent Care of the Florida Keys had been attacked, and patient data dumped. The data dump had been listed on a Russian-language forum known for data dumps, and the threat actor, then known as “m1x,” called the medical group “Malicious Defaulters” because they wouldn’t pay to prevent data dumping.
As DataBreaches.net reported from inspecting the data dump:
The data, which were made freely available on a popular file-sharing site, contained more than 14,000 patients’ personal information. For some of the patients, there were numerous scans of patient records. In most cases, these were scans of reports that included some handwritten notes and results with the patients’ personal information, medical history, reason for testing or visit, and more.
There was also billing information dumped. From timestamps, it appeared the attack occurred on or about March 1. DataBreaches.net also posted a number of redacted screenshots from the data dump, while noting that the medical center had not responded to several inquiries sent to them by this site.
On May 31, more than 60 days after the dump first appeared, this site sent one last inquiry to Advanced Urgent Care of Florida Keys, asking them if they had ever reported this breach to HHS and whether they had ever notified patients.
Getting no response to that inquiry, either, DataBreaches.net filed a watchdog complaint with HHS on June 3, including screenshots of the listings and data, and offering to provide HHS with the full data dump if they needed it for investigative purposes.
On November 6, the practice issued a press release.
Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care Notice Regarding Data Security Incident
KEY WEST, Fla., Nov. 6, 2020/PRNewswire/ — Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care (“Advanced Urgent Care”) is committed to maintaining the privacy and security of information. On November 6, 2020, Advanced Urgent Care notified certain individuals about a data security incident.
Specifically, On March 1, 2020, a ransomware infection encrypted files stored on an Advanced Urgent Care backup drive. Advanced Urgent Care immediately began an investigation. As a part of its investigation, it worked very closely with external cybersecurity professionals.
After an extensive forensic investigation and manual document review, Advanced Urgent Care discovered on September 11, 2020 that the impacted backup drive contained personal and protected health information, including names, dates of birth, health insurance information, medical treatment information, medical diagnostic information, lab results, Medical Record Numbers (MRN), Medicare or Medicaid beneficiary numbers, medical billing information, bank account information, credit or debit card information, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, driver’s license numbers, signatures, and Social Security numbers. This incident does not affect all patients of Advanced Urgent Care and not all information was included for all individuals. The Advanced Urgent Care electronic health record system was not impacted by this incident.
Advanced Urgent Care takes this incident and security of personal information very seriously. Advanced Urgent Care has taken steps to secure its network and improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future.
Impacted individuals have been provided with best practices to protect their information and have been reminded to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. Advanced Urgent Care has recommended that affected individuals review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized. Individuals whose Social Security numbers were contained in the impacted backup drive have been offered a complimentary credit monitoring product.
For further questions or additional information regarding this incident, or to determine if you may be impacted by this incident and are eligible for complimentary credit monitoring, a dedicated toll-free response line has been set up at 1-866-977-1187. The response line is available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time.
View original content:https://www.prnewswire.com/news-releases/bruce-l-boros-md-pa-dba-advanced-urgent-care-notice-regarding-data-security-incident-301168080.html.
SOURCE Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care
1. The practice claims that on September 11, it discovered ePHI was involved? This site had published evidence of ePHI on March 14 and had written to them about it several times. So they already had evidence in March that they could confirm as their data. Will HHS let them claim discovery in September or will it point out that any reasonable entity would have discovered the breach no later than March 17? And when did HHS first contact the practice to follow up on my complaint (if they did contact them)?
2. The press release does not tell patients that their data was actually dumped and made freely available on two web sites, neither of which requires Tor to access. Does the notification letter to patients tell them that their data was first dumped on the internet on March 13?
I will be watching to see if HHS gives them a pass or walk on this one.
Update: On Nov. 6, Dr. Boros reported the incident to HHS as impacting 58,823 patients.