A Marin Healthcare ransomware attack has been reported that resulted in sensitive patient data being encrypted. The attack affected one of Marin Healthcare’s vendors, Marin Medical Practices, which provides medical billing and EHR services.
In accordance with HIPAA Rules, the vendor performed backups of protected health information. Under normal circumstances this would have allowed the organization to recover the locked files without having to pay the attackers for a decryption key. However, the process of restoring files from a backup failed. To prevent data loss, it was necessary to pay the ransom demand to obtain the decryption key.
After obtaining the key, Marin Medical Practices was able to recover from the infection and regain access to the encrypted files, which included clinical histories, doctors’ notes, records of examinations, and patients’ vital signs. Those data were collected from Marin Healthcare medical centers between July 11 and July 26, 2016.
According to a statement released by Marin Healthcare, the ransomware attack impacted 5,000 patients. However, a full investigation of the Marin Healthcare ransomware attack by a third party forensics firm did not uncover any evidence to suggest the attackers had accessed or stolen any patient data.
The attack has been reported to the Federal Bureau of Investigation and state and federal agencies, including the Department of Health and Human Services Office for Civil Rights (OCR). Under HIPAA Rules, ransomware attacks must be reported to OCR unless organizations can demonstrate the risk of PHI having been viewed or stolen is particularly low. Affected patients have also now been notified of the attack by mail to alert them to the potential exposure of their protected health information.
Californian healthcare organizations have experienced a number of ransomware attacks this year. Only last week, Keck hospitals announced that two of its servers had been encrypted by ransomware. However, it was possible to restore the locked data from backups and no ransom was paid.
Earlier this year, Hollywood Presbyterian Medical Center was not so fortunate. It too was forced to pay a ransom to recover locked files. A ransom of $17,000 was paid to obtain keys to decrypt the infection. Marin Healthcare has not disclosed how much was paid.