Breach Notification , Critical Infrastructure Security , Cybercrime
Clinic: EHR Data Too Damaged to Recover Post-AttackMedical Practice Says Its Backups Also Destroyed in Ransomware Incident
An Arizona-based family medical practice says it is attempting to reconstruct thousands of patients' electronic health records following a May ransomware attack that badly corrupted the records as well as backup data.
In a Sept. 3 notification letter and data security incident notice posted on its website, 20-year-old Queens Creek, Arizona-based Desert Wells Family Medicine says a May 21 ransomware attack affected many of its IT systems, including badly corrupting patient EHRs and backup data.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
"Upon discovering the extent of the damage, we engaged additional forensics and recovery services as part of our exhaustive efforts to do everything we could to try and recover the data," the practice says. "Unfortunately, these efforts to date have been unsuccessful and patient electronic records before May 21 are unrecoverable."
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows that Desert Wells Family Medical reported its hacking incident on Aug. 30 as affecting 35,000 people.
Desert Wells Family Medical did not immediately respond to Information Security Media Group's request for additional details about the incident.
In its notification statements, Desert Wells Family Medical says that moving forward, "We are continuing to make every effort to compile our patients’ data from other sources, including from medical specialists, previous medical providers, hospitals, pharmacies, imaging centers, and labs, among others."
The practice says it will request patients to update "necessary forms" during this process.
To date, the independent firms assisting Desert Wells Family Medical have determined there is no evidence that any sensitive data was stolen or that any of the information involved has been or will be misused, the practice says.
Over the past couple of years, several other healthcare entities - mostly smaller clinical practices - have reported cyber incidents that also left their patients' electronic health records inaccessible.
For example, Houston-based Fondren Orthopedic Group in February 2020 said a malware incident that occurred in November 2019 “permanently damaged” thousands of electronic patient records.
In at least two other 2019 cases, healthcare providers chose to permanently shut down their businesses as a result.
For example, Wood Ranch Medical, a California-based clinic, closed its business in late 2019 because it couldn’t recover patients' records after a ransomware attack.
Also, Brookside ENT and Hearing Center, a two-doctor practice in Michigan, in late 2019 permanently shut down in the aftermath of a ransomware attack.
The practice said it had lost access to patient medical records, billing, scheduling and other critical data after attackers encrypted the data. Rather than pay a ransom to get a decryption key or attempt to restore the data, the physicians decided to retire.
Security experts stressed that keeping backup data updated and protected is essential for healthcare entities to help prevent falling victim to the consequences Desert Wells Family Medical and other entities have faced in trying to recover badly damaged records following a cyberattack.
"Backups must be secured. If they’re not, the attackers will delete or encrypt them so that they cannot be used to restore data," says threat analyst Brett Callow of the security firm Emsisoft. "The attackers may also steal them, as it’s an easy way to get their hands on an organization's data."
Additionally, backups should never be attached in any way to the main network, in order to prevent them from cyberattacks such as ransomware, says retired supervisory FBI agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP.
"There is a big movement to secure cloud-based backups to ensure quick and reliable restoration of victim data in the event of a cyberattack," Weiss adds. "Companies should not only institute a secure backup system, but test it regularly."
Healthcare institutions also must take other critical steps to ensure that their cybersecurity posture is as strong as possible, he adds.
"They should consider implementing proven cybersecurity frameworks and have their networks undergo a deep-seated risk assessment at least annually to ensure that the potential victims are as prepared as possible to repel a cyberthreat actor and keep them out of their networks," he says.
"Another critical step is to institute multifactor authentication as quickly as possible and to encrypt their own network’s data, both in transit and at rest," he adds.
No Sure Bets
While Desert Wells Family Medical says that investigators have not found evidence that the practice's data was acquired by attackers, the jury is still out on whether that is in fact the case, Callow contends.
"It’s not at all uncommon for organizations to state they found 'no evidence' of exfiltration but, of course, absence of evidence is not evidence of absence," he says.
"In multiple past cases, data has been posted online despite there being 'no evidence' of it being taken."