Ransomware continues to pose a major threat to covered entities, and not surprisingly, an incident reported to HHS in October by a Hanover, Pennsylvania eye care center turned out to be yet another ransomware incident. The practice kindly sent me a copy of the notification letter they sent to 30,000 patients:
Dear Sir or Madam,
May Eye Care, P.C. d/b/a The May Eye Care Center & Associates (May Eye Care Center) is subject to the breach notification rules of the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). HIPAA requires that covered entities provide notice to media outlets in a jurisdiction if that entity discovers a breach of electronic protected health information affecting 500 or more individuals in that jurisdiction. May Eye Care Center believes that such a breach occurred. Please consider this letter as notice of this situation, as described below:
On July 29, 2018, May Eye Care Center’s server, including its electronic medical records system, was compromised by a ransomware attack. The kinds of information stored on the server included patients’ names, dates of birth, addresses, diagnoses, clinical and treatment information, insurance details, and a limited number of Social Security numbers.
May Eye Care Center contracted a leading international computer forensics firm to assist with the investigation. May Eye Care Center also notified the FBI of the ransomware attacks. We have also engaged an information technology firm that specializes in computer security to review and enhance our security systems and protocols.
At this time, there is no evidence to suggest any patients’ protected health information has been directly accessed or used without their notification. In addition, we have already contacted all patients potentially impacted by this breach via personalized letter to alert them of what occurred and what precautions to take.
Because the breaching party may have had access to protected information, we want patients to take precautions to protect themselves from any potential additional use of this information. We recommend taking the following steps:
• Register a fraud alert with the three credit bureaus listed here; and order credit reports:
Experian: (888) 397-3742; www.experian.com; PO Box 9532, Allen, TX 75013
TransUnion: (800) 680-7289; www.transunion.com; Fraud Victim Assistance Division, PO Box 6790, Fullerton, CA 92834-6790
Equifax: (800)525-6285; www.equifax.com; PO 740241, Atlanta, GA 30374-0241
• Monitor account statements, EOBs, and credit bureau reports closely. Free credit reports are available once a year by calling 1-877-322-8228 or visiting www.annualcreditreport.com.
• Access helpful Web links to learn additional information on consumer protection when personal information is compromised. For example, American Health Information Management Association’s Medical Identity Theft Response Checklist for consumers:http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_039114.pdf
Additionally, if anyone believes that their information is being used in any unauthorized or fraudulent manner, immediately take the following steps:
• Close any personal accounts that have been tampered with or fraudulently opened.
• Notify your local police department
• Report the incident to the Pennsylvania Attorney General’s Bureau of Consumer Protection by calling 1-800-441-2555.
• Contact the Pennsylvania Department of Revenue Fraud Investigation Unit at 717-772-9297 or [email protected] for assistance in regard to any fraudulent tax returns
• If a Social Security number is suspected of being used inappropriately, contact the Social Security Administration’s fraud hotline at (800) 269-0721.
We apologize for any inconvenience these incidents may cause. Again, while we believe these attacks were targeted at our office for the purpose of obtaining monetary payments from May Eye Care, our primary concern is to make sure that patients have complete information and take all necessary precautions in the event that any personal information was compromised during this breach.
If you have any questions, please do not hesitate to contact our office at 888-607-0035 or you can send an email to [email protected].
May Eye Care, P.C.
Carl J. May, Jr., MD
In follow-up communications, a spokesperson informed this site that they did not pay any ransom and were able to restore from backups without any data loss, although they lost a few days while addressing the situation.