The recent Ambulatory Surgery Center ransomware attack has resulted in the protected health information of 13,000 patients being exposed, according to a recent article in the Bucks County Courier Times.
Ambulatory Surgery Center, a provider of outpatient surgical and diagnostic procedures in Langhorne, PA., discovered the attack on June 1, 2016. Staff at the center were prevented from accessing files, which tipped of the organization to the attack. A ransom note was discovered which requested payment in exchange for keys to unlock the encryption.
As is required under HIPAA Rules, Ambulatory Surgery Center had performed regular backups of patient data and was able to recover from the attack without having to pay the attackers. The files were restored on the same day as the attack, resulting in no disruption to patients or services. Patient data is not understood to have been stolen in the attack, although Ambulatory Surgery Center was not able to rule out the possibility that data had been viewed by the attackers.
Patients Notified of Ambulatory Surgery Center Ransomware Attack
The Department of Health and Human Services’ Office for Civil Rights has recently published guidance for HIPAA covered entities on ransomware attacks. Ransomware attacks are, in the majority of cases, classed as reportable HIPAA breaches.
Ransomware attacks on healthcare organizations do not need to be reported if data have been encrypted by the organization prior to the attack taking place. It is also not necessary to report the attack to the OCR if the organization can demonstrate that there is a “low probability that the PHI has been compromised.” (Further information on HIPAA Rules regarding ransomware attacks can be found on this link)
The Ambulatory Surgery Center ransomware attack occurred prior to the guidance being issued, although the decision had already been taken to treat the incident as a data breach and patients were notified of the incident by mail. They have also been offered credit monitoring services as a precaution against identity theft.