So many notifications due to ransomware, but are these really necessary?
Another entity has recently notified patients whose protected health information was on a server infected with ransomware. Once again, even though investigation turned up no evidence that any patient’s PHI was actually accessed or exfiltrated, entities are notifying – on the side of caution and/or because HHS requires them to in the absence of firm proof of no access.
Here is part of the notification letter from PVHS-ICM Employee Health and Wellness:
We are writing to inform you of a data security incident experienced by PVHS-ICM Employee Health and Wellness LLC (“PVHS- ICM”) that may have resulted in the exposure of your personal information, including your name, Social Security number, and medical information. PVHS-ICM currently operates the UCHealth Walk In Clinic at the location formerly utilized by Miramont Urgent Care at 2211 S. College Ave., Fort Collins, CO 80525 (the “Clinic”). This security incident involved a computer server previously utilized by Miramont Urgent Care; the server has not been utilized by PVHS-ICM since September, 2014. This security incident was limited to this single physical location and did not impact any other clinic. We value and respect the privacy of your information, and we sincerely apologize for any concern or inconvenience this may cause you. This letter contains information about steps you can take to protect your information, and resources we are making available to help you.
1. What happened and what information was involved:
On May 4, 2017, we discovered that a server in the Clinic containing patient records may have been impacted by ransomware. The server contained records for patients seen at the Clinic prior to September 23, 2014. We immediately began an internal investigation and hired independent computer forensic experts to assist us. The forensic investigation determined that an unauthorized user gained access to the server in order to infect it with the ransomware. We have no evidence that any of your personal information was actually accessed or removed from the server. However, because the server contained information that may have included your name, address, Social Security number, medical records (diagnosis and treatment information), health insurance policy number, and other demographic information, we decided to notify you out of an abundance of caution. The server did not contain any financial information. This server was not connected to any other computer systems and did not have information more recent than September 22, 2014.
So…. do you think notification should be required for this situation? My question has nothing to do with whether two-year-old data could be meaningful or important, but rather whether we are over-notifying in situations where an investigation has turned up no evidence of access or acquisition.