Ransomware Attack on Andrews Braces Impacts PHI of 16,600 Patients

The Sparks, NV orthodontics clinic, Andrews Braces, has suffered a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day.The practice contracted a third-party forensic investigator to examine the range and extent of the attack and determine whether patient information had been stolen before encryption. While it is not uncommon for ransomware attacks to involve data theft, the investigation did not uncover any proof to suggest data had been obtained by the hackers. This seemed to be an automated attack with the sole aim of encrypting data to extort money from the practice.

The practice constantly backed up patient data and stored its backups securely, so it was possible to bring systems back online quickly and recover data without paying the ransom demand. Data theft is not suspected but the possibility could not be eliminated, so notification letters have been issued to all impacted patients. The range of data which could potentially have been accessed by the hacker included names, addresses, dates of birth, Social Security numbers, email addresses, and health data.

Andrews Braces has now configured extra security solutions and has taken other steps to harden security to stop more attacks going forward

Elsewhere, EVersana a supplier of global services to the life sciences sector, has revealed an unauthorized individual gained access to the email accounts of some of its staff members in 2019.

EVERSANA was notified about unusual activity in its employees’ accounts and found that the accounts had been accessed by an unauthorized person through a legacy technology environment. The investigation found that the accounts were accessed between April 1 and July 3, 2019.

The accounts included data from a small number of patient services programs. No proof of unauthorized data access was identified, but it is possible that the attacker(s) accessed the sensitive information of specific patients.

The breach has not yet been published the HHS’ Office for Civil Rights website, so it is currently unknown how many individuals have been impacted.

Author: Maria Perez