- Urology Austin recently announced on its website that it experienced a ransomware attack on January 22, 2017, which potentially exposed patient data that was stored on the compromised server.
The OCR data breach reporting tool states that 279,663 individuals were possibly impacted by the incident.
Urology Austin said that it became aware of the incident within minutes of the attack, shut down its computer network, and started an investigation.
“We also began to take steps to restore the impacted data and our operations,” the statement explained. “Through our investigation, we determined that some patient information was impacted by the ransomware.”
Potentially affected information included patient names, addresses, dates of birth, Social Security numbers, and medical information.
Urology Austin said that notification letters were sent out to individuals, and that those impacted will be offered complimentary identity theft resolution services.
“We take the security of our patients’ information very seriously and we have taken steps to prevent a similar event from occurring in the future, including strengthening our security measures and ensuring that our networks and systems are now secure,” Urology Austin maintained.
Greg Philipson told local news station KXAN that he received a data breach notification letter, but almost threw it away because he had not been a Urology Austin patient for more than 20 years.
“I think companies, small businesses and doctor’s organizations have to be more vigilant about protecting our data as citizens,” Philipson said. “And not providing us with unnecessary stress in addition to going to a doctor.”
A Urology Austin representative told the news source that the organization did not pay the ransom and was able to restore patient information from a backup.
Healthcare ransomware attacks are quickly becoming a key focus area for organizations in their data security measures. Having backups in place can also help restore compromised information and ensure that daily operations continue to run smoothly in the wake of an attack.
Earlier this month, ONC discussed best practices for ransomware attack mitigation and prevention in updated SAFER Guides.
For example, the Contingency Planning SAFER Guide discusses how healthcare organizations can best approach planned or unplanned EHR downtimes. This could include the fallout from a ransomware attack, or even hardware infrastructure failures.
“Such unavailability can introduce substantial safety risks to organizations that have not adequately prepared,” ONC explained on its website. “Effective contingency planning addresses the causes and consequences of EHR unavailability, and involves processes and preparations that can minimize the frequency and impact of such events, ensuring continuity of care.”
ONC added that EHR unavailability could lead to various issues, such as medication errors, unavailability of images, and canceled procedures. Substantial contingency planning, including a contingency planning team working with practicing clinicians, is necessary for all healthcare organizations.
“Creating a contingency plan as required by the HIPAA Security Rule will address many, but not all, of the recommended safety-oriented practices in this guide,” ONC noted. “We encourage coordination of completion of the self-assessment in this SAFER Guide with contingency planning for purposes of HIPAA compliance to provide a uniform approach to patient safety and data protection.”