330K Patients Impacted in Ransomware Attack on New York Medical Group

Orthopedic Associates of Dutchess County has revealed that the protected health information (PHI) of some of its clients may have been impacted during a recent cyberattack.

The New York medical group first noticed the security breach when suspicious activity was identified on its systems on March 5, 2021. Following this discovery, a review of the incident confirmed that systems had been accessed on or around March 1, 2021 by unauthorized individuals. The cybercriminals were able to access a range of databases and successfully encrypted files. Once this was completed, they demanded a ransom payment to release the keys to unlock the encrypted files. The protected health information of 331,376 individuals was potentially compromised in the attack.

The attackers also claimed they had stolen sensitive data prior to the encryption of files and threatened to release the data if payment was not made. Orthopedic Associates of Dutchess County was unable to determine which files had been exfiltrated.

Subsequent investigations found that files potentially accessed included PHI such as names, addresses, contact telephone numbers, email addresses, emergency contact data, diagnoses, treatment notes, medical record numbers, health insurance information, payment details, dates of birth, and Social Security numbers.

Any client that may have been impacted in the breach has been contacted by mail and offered the chance to enroll in free credit monitoring and identity theft protection services for 12 months. As of yet, no evidence has been found to suggest any improper use of patient data.

In a separate incident, the Canton, OH-based medical billing company Entrust Medical Billing revealed it was infiltrated by hackers who used ransomware attack to encrypt files. The PHI of 5,426 individuals was potentially compromised in the attack.

An external cybersecurity firm was contracted to review and examine the extent of the breach. They discovered that, at some point around March 1 2021, files were stolen by the cybercriminals which included details such as names, addresses, birth dates, diagnosis/clinical data, treatment data, location, medical procedures, patient account information, and health insurance details.

So far nothing has been found to suggest there has been any attempted improper use of any of the stolen data. Those who had their PHI impacted by the breach have been made aware and, additionally, anyone who had their Social Security number stolen has been offered free credit monitoring services. As an additional precautionary step, new technical safeguards have been introduced and enhanced monitoring measures have been configured across the network and databases.

Author: Maria Perez