A third-party security firm was hired to thoroughly investigate the attack and determine whether the attackers had gained access to or stole patient data. While many ransomware gangs conduct manual attacks and steal data before deploying their ransomware payload, the investigation suggests this was an automated attack that was carried out with the sole aim of encrypting files to extort money from the practice.
The investigation into the hack is ongoing but, to date, no proof of unauthorized data access or data theft has been located; however, it was not possible to eliminate unauthorized data access so notification letters are now being sent to all patients whose protected health information was stored on parts of the system that was targeted.
The substitute breach notice on the Brandywine Urology Consultants web portal revealed that the types of information that may have been infiltrated included names, addresses, Social Security numbers, medical file numbers, claims data, and other financial and personal data.
The IT security company and the practice have been reviewing security protections, policies, and procedures and steps have been taken to improve security to ensure the integrity of its systems and stop future data breaches. The central server deployed in the practice has been replaced and any computers impacted by the attack have either been re-imaged or replaced. Antivirus software has been updated and penetration tests are being carried out to identify any other areas where security needs to be enhanced.
The breach summary published on the HHS’ Office for Civil Rights breach portal states that 131,825 patients were potentially affected by the attack.