While investigating ransomware incident, ABCD Pediatrics uncovers evidence of other intrusion; more than 55,000 patients notified
ABCD Pediatrics, PA (“ABCD”) is committed to providing quality pediatric healthcare in the San Antonio area. Our mission is to provide the best care, to each patient, every time. With that being said, ABCD is writing to inform you about an incident that may have affected its patients’ protected health information. This notification is made in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, and the included Administrative Simplification provisions. See 45 CFR § 164.
During the morning of February 6, 2017, an employee of ABCD Pediatrics discovered that a virus gained access and began encrypting ABCD’s servers. The encryption was slowed significantly by existing antivirus software. Upon discovery, ABCD immediately contacted its IT Company, and ABCD’s servers and computers were promptly moved offline and analyzed. ABCD’s IT Company identified the virus as “Dharma Ransomware,” which is a variant of an older ransomware virus called “CriSiS.” ABCD’s IT Company reported that these virus strains typically do not exfiltrate (“remove”) data from the server; however, exfiltration could not be ruled out. Also, during the analysis of ABCD’s servers and computers, suspicious user accounts were discovered suggesting that hackers may have accessed portions of ABCD’s network.
ABCD’s IT Company successfully removed the virus and all corrupt data from its servers. Secure backup data stored separately from ABCD’s servers and computers was not compromised by this incident, and it was used to restore all affected data. As a result, no confidential information was lost or destroyed, including protected health information. Also, please note that ABCD never received any ransom demands or other communications from unknown persons. However, ABCD remains concerned because it discovered user logs indicating that computer programs or persons may have been on the server for a limited period of time. In addition to notifying its patients, ABCD notified the Federal Bureau of Investigations (“FBI”), and it will notify the Department of Health and Human Services.
While ABCD’s IT Company found no evidence that confidential information was actually acquired or removed from its servers and computers, it could not rule out the possibility that confidential information may have been viewed and possibly was acquired. Importantly, ABCD cannot confirm with a high degree of likelihood that confidential information remained secure throughout this incident. Generally, affected information may have included one’s name, address, telephone, date of birth, other demographic information, Social Security Number, insurance billing information, current procedural technology codes, medical records, and laboratory reports.
ABCD takes its patient’s privacy and the security of their information very seriously. ABCD had a variety of security measures in place before this incident, including network filtering and security monitoring, intrusion detection systems, firewalls, antivirus software, and password protection. Following this incident, ABCD’s IT Company located the source of the intrusion and implemented several measures to ensure this kind of incident does not occur again, which include state of the art cyber monitoring on its network. ABCD and its IT Company continue to assess its physical and cyber security.
We have arranged with Equifax Personal Solutions to help protect the identity and credit information of all patients. Patients can call 844-420-6493 Monday through Friday from 9:00 AM to 9:00 PM Eastern Standard Time to determine whether they were affected. Also, if any patient has questions, they can call this same number to speak with a customer service representative about the incident.
Patients also can place a fraud alert on their credit files with the three major credit reporting agencies. A fraud alert is a consumer statement added to one’s credit report. The fraud alert signals creditors to take additional steps to verify one’s identity prior to granting credit. This service can make it more difficult for someone to get credit in one’s name, though it may also delay one’s ability to obtain credit while the agency verifies identity. Patients can contact the three main credit reporting agencies at:
Equifax 1-800-525-6285 www.fraudalerts.equifax.com
Experian 1-888-397-3742 www.experian.com
TransUnion 1-800-680-7289 www.transunion.com
Fraud alerts are free and last 90 days unless you manually renew it or use the automatic fraud alert feature within a Credit Watch subscription. Patients also may want to order their credit report. By establishing a fraud alert, patients will receive a follow-up letter that will explain how they can receive a copy of their credit report. When patients receive their credit report, examine it closely and look for signs of fraud, such as credit accounts that are incorrect. Even though a fraud alert has been placed on their account, patients should continue to monitor future credit reports to ensure an imposter has not opened an account. If patients want to place a security freeze, they will need to call all three credit bureaus (information listed above) and place a security freeze on thier credit report. Charges to place and/or remove a security freeze vary by state and credit agency.
We deeply regret any inconvenience this incident may have caused. If patients have questions, please call 844-420-6493 Monday through Friday from 9:00 AM to 9:00 PM Eastern Standard Time.
SOURCE: ABCD Pediatrics, P.A.
ABCD Pediatrics’ notification to HHS reported that 55,447 patients were being notified.