California-based Shingle Springs Health and Wellness Center provides medical, behavioral, dental, and pharmaceutical services. On April 7, 2019, the center discovered that its server had become infected with ransomware.
A ransomware attack uses malicious software to gain access to a computer system, usually disabling the system, until an amount of money is paid.
The infection in this case may have compromised the protected health information (PHI) of up to 21,500 individuals.
The ransomware attack encrypted the facility’s files, rendering its systems inoperable. As a result, clinic staff were unable to access the systems. Regina Cuellar, Tribal Chairperson for Shingle Springs, noted in a June 6, 2019 statement that the company is not aware of any actual or attempted misuse of any (PHI).
The files that were involved in the ransomware attack contained protected health information. This information includes patient names, addresses, Social Security numbers, telephone numbers, health insurance/payer information, provider(s) name, dates of service, amounts paid/owed, and diagnosis codes.
Shingle Spring Health immediately notified Indian Health Services of the ransomware attack. Indian Health Services is a branch within the Department of Health and Human Services (HHS) that oversees access for Native American Tribes and Alaskan Native people. Shingle Spring also reported the ransomware attack to the Federal Bureau of Investigation.
In response to the ransomware attack, Shingle Springs has installed new servers, fast-tracked system upgrades for all departments, and has updated all workstations. The practice has also recommended that individuals who might have been affected, monitor their credit accounts through the three major credit bureaus – Equifax, Experian, and Transunion.
Single Springs has taken the additional precaution of arranging to provide potentially affected patients with 12 months of complimentary credit monitoring through MyIDCare. The free monitoring service began on Wednesday, June 12, 2019.
How to Prevent Ransomware Attacks
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released guidance advising organizations on how to protect themselves from and prevent ransomware attacks. The guidance contains the following recommendations:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a remediation plan to mitigate those identified risks
- Implementing procedures to safeguard against malicious software
- Training authorized users to detect malicious software and reporting such detections
- Limiting access to ePHI to only those persons or software programs requiring access
- Maintaining an overall contingency plan that includes disaster recovery, emergency operation, frequent data backups, and test restorations
- Understanding ransomware, how it works, and knowing how to spot the signs
- Implementing security incident responses and mitigating the consequences of ransomware
Ransomware attacks can be costly and negatively affect your organization’s reputation. Making sure your organization has proper safeguards in place to protect PHI can save your organization from ransomware attacks and costly remediation efforts.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and MSP security partners from across the country. You can contract with these partners so that they can properly handle your HIPAA cybersecurity protection needs.
Find out more about how Compliancy Group helps you simplify compliance and cybersecurity today!
