A recent Rainbow Children’s Clinic ransomware attack has resulted in the protected health information of patients being encrypted and made inaccessible to pediatricians and other clinic staff members.
Rainbow Children’s Clinic provides medical services to children in the Arlington and Grand Prairie areas of Texas. On August 3, 2016, the clinic was prevented from accessing certain data that were stored on its servers. An investigation was immediately launched which revealed a hacker had installed ransomware which was used to encrypt data.
A third-party computer forensic expert was hired to investigate the attack. It was discovered that in addition to encrypting data, some protected health information had been deleted and was permanently lost. No mention was made of any ransom being paid to the attackers to recover data and the number of patients whose protected healthcare information was deleted was similarly not disclosed.
Patients affected by the Rainbow Children’s Clinic ransomware attack have now been notified of the security breach and potential exposure or deletion of their PHI. Individuals impacted by the breach have been offered complimentary credit monitoring and identity theft protection services in case any data were copied by the attacker. In total, 33,698 current and former patients have been impacted.
The data accessed and encrypted in the attack included patients’ names, addresses, dates of birth, Social Security numbers, medical payment information, medial data, and guarantors’ names and addresses and their Social Security numbers.
So far this year, several healthcare organizations have reported being attacked with ransomware, a number of which have been forced to pay a ransom to regain access to patient data. Healthcare organizations are required to issued breach notification letters to patients – and inform the Department of Health and Human Services’ Office for Civil Rights – of ransomware incidents under HIPAA Rules; although they are not obliged to disclose whether a ransom has been paid.
However, Hollywood Presbyterian Medical Center announced in February that it was forced to pay $17,000 to criminals to obtain keys to decrypt PHI when it was discovered the data could not be recovered from backups.
While ransoms have been paid to unlock ransomware-encrypted data, this is the first healthcare organization to announce that data have been lost because of a ransomware attack.