AZ Ransomware Attack Leads to Unrecoverable EHRs, Data Loss

September 10, 2021 - Arizona-based Queen Creek Medical Center, also known as Desert Wells Family Medicine, will have to rebuild patient medical records from scratch after a ransomware attack corrupted and destroyed EHRs. Desert Wells began notifying 35,000 patients of the breach and made plans to implement a new EHR system.

The practice’s IT staff discovered suspicious activity on May 21 and immediately reached out to cybersecurity experts, an incident response team, and law enforcement.

A third-party forensics firm found no evidence that any protected health information (PHI) was stolen. However, the bad actor managed to corrupt the provider’s medical records system, resulting in significant data loss.

The records contained information including patient names, addresses, Social Security numbers, driver’s license numbers, patient account numbers, health insurance plan member IDs, medical record numbers, treatment information, and billing account numbers.

“Unfortunately, we have come to understand that the unauthorized individual that accessed our network corrupted the data,” Daniel B. Hoag, DO, a family practice physician at Desert Wells wrote in a separate letter to patients.

“Upon discovering the extent of the damage, we engaged additional forensics and recovery services as part of our exhaustive efforts to do everything we could to try and recover the data. Unfortunately, these efforts to date have been unsuccessful and patient electronic records before May 21, 2021, are unrecoverable.”

Desert Wells said that it did have backups of the data, but those were corrupted as well.

The family medicine practice plans to piece together new patient medical records using other sources, such as medical specialists, previous providers, pharmacies, imaging centers, labs, and hospitals. Patients will be asked to update forms during the process.

Desert Wells offered patients complimentary identity theft protection and credit monitoring services to impacted patients.

“As we have always been since the beginning of our practice 20 years ago, Desert Wells Family Medicine remains committed to providing excellent healthcare to our community,” Hoag continued.

“Despite this challenging situation, we continue to care for our patients using downtime processes and manual practices we have in place, and we have hired additional employees and other resources to support our patients’ needs.”

Along with implementing an upgraded EHR system, the practice said it will enhance endpoint detection, implement 24/7 threat monitoring, and train staff on cybersecurity best practices.

“We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause,” Hoag concluded.

A recent report suggested that smaller healthcare providers, outpatient facilities, and business associates are increasingly likely targets for healthcare data breaches compared to larger hospitals. Smaller practices may have less sophisticated cybersecurity infrastructures, making them more susceptible to cyberattacks.

Smaller facilities also often pay more in remediation costs after a cyberattack, research shows. A CyberMDX and Philips report revealed that large hospitals typically shut down for an average of 6.2 hours at $21,500 per hour after a cyberattack. Meanwhile, midsize hospitals typically shut down for around 10 hours at a rate of $45,700 per hour.

Although Desert Wells had backed up its data prior to the attack, the practice now faces a long journey to recovery.