Patients have been warned of a Seguin Dermatology ransomware attack that may have resulted in their electronic protected health information being accessed by the attackers. The Texas dermatology clinic was attacked on or around September 12, 2016, although it took until October 26 for a full forensic analysis of the affected computer to be completed. The investigation of the attack did not confirm that patient data had been stolen, although the possibility could not be ruled out entirely.
According to a press release from the legal firm Brin and Brin of San Antonio, the forensic analysis revealed there was “a high likelihood” that ePHI was accessed by the attackers. Consequently, the ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights in accordance with Health Insurance Portability and Accountability Act (HIPAA) Rules.
The attack affected a server used by Seguin Dermatology owner Dr. Robert Magnon. Confidential data stored on the server included patients’ names, telephone numbers, addresses, demographic information, dates of birth, insurance billing information, and Current Procedural Technology (CBT) codes.
No medical records or financial data were encrypted or accessed by the attackers, although some patients’ Social Security numbers may have been compromised.
Since there is a risk that data have been obtained by the attackers, patients have been offered a year of credit and identity theft protection services without charge.
The Seguin Dermatology ransomware attack has prompted a full review of policies and procedures at the clinic. Physical and computer security protections are also being reviewed and steps will be taken to improve security to prevent future data breaches of this nature. All affected patients are being notified of the breach by mail, although it is currently unclear how many individuals have been affected since the breach report has not yet appeared on the OCR breach portal.