- Michigan-based Airway Oxygen, Inc. is notifying patients that their PHI may have been involved in a ransomware attack that took place earlier this year.
The medical equipment supply company explained in its notification letter to individuals that it became aware of the unauthorized access to its technical infrastructure on April 18, 2017. Ransomware was installed to try and prevent Airway Oxygen from accessing its own data.
PHI involved in the breach included some or all of the following information: full names, home addresses, dates of birth, telephone numbers, diagnoses, types of services provided, and health insurance policy numbers. However, bank account numbers, debit or credit card numbers, and Social Security numbers were not involved, Airway Oxygen maintained.
The OCR data breach reporting tool states that 500,000 individuals may have been affected by the incident.
“Since learning of the incident, we immediately took steps to secure our internal systems against further intrusion, including by scanning the entire internal system, changing passwords for users, vendor accounts and applications, conducting a firewall review, updating and deploying security tools, and installing software to monitor and issue alerts as to suspicious firewall log activity,” explained the statement, which was signed by Airway Oxygen President Stephen Nyhuis.
Airway Oxygen added that it reported the incident to the FBI and has hired a cybersecurity firm to assist in an investigation. The company is also “identifying further actions to reduce the risk of this situation recurring.”
Even though Airway Oxygen said there is no indication any of the data was accessed or acquired, it recommended that potentially affected individuals monitor all of their healthcare and financial accounts for any suspicious activity.
Furthermore, individuals may want to consider requesting new credit cards or even placing a fraud alert on their accounts. A security freeze is another option to more carefully monitor accounts, the letter explained.
“We take the security of those with whom we work and their data very seriously and our team is working diligently to ensure breaches of this type do not happen in the future,” concluded the letter.
Earlier this year, a similar case of ransomware was reported by Urology Austin. In that case, 279,663 individuals were possibly impacted when the January 22, 2017 incident took place.
The organization explained that it became aware of the incident within minutes of the attack, shut down its computer network, and started an investigation.
“We also began to take steps to restore the impacted data and our operations,” the statement said. “Through our investigation, we determined that some patient information was impacted by the ransomware.”
Patient names, addresses, dates of birth, Social Security numbers, and medical information were all potentially involved in the ransomware attack.
A Urology Austin representative told local news station KXAN that the organization did not pay the ransom and was able to restore patient information from a backup.
Healthcare ransomware attacks can be especially devastating, but organizations should also be aware of federal requirements in terms of reporting potential incidents.
After the WannaCry ransomware attack in May 2017, HHS reminded Healthcare and Public Health Sector (HPH) organizations in an email about OCR guidance from 2016.
“OCR presumes a breach in the case of ransomware attack,” HHS explained. “The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach.”
Asking law enforcement to hold reports tolls the 60-day reporting deadline, the agency added.
“Reporting information to law enforcement, DHS, or other HHS divisions does not constitute inadvertent or intentional reporting to OCR,” HHS stated. “All reporting of breaches to OCR should be made as required by the HIPAA Breach Notification Rule.”
OCR presumes a breach occurred due to the ransomware attack if the incident involves unencrypted data. A covered entity or business associate will need to prove that the ePHI was encrypted throughout the entire process.
“If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user,” the OCR guidance reads.
“Because the file containing the PHI was decrypted and thus ‘unsecured PHI’ at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.”