This without a doubt is the second largest health data breach caused by a ransomware attack. An Oaks, Philadelphia based women’s healthcare clinic ‘Women’s Health Care Group of PA’ (WHCGPA) was reportedly attacked with ransomware. On July 18, a security notice was posted by the clinic that revealed details about the attack.
As per the statement, the hack attack was identified in May this year by the clinical IT staff. WHCGPA is a respected organization across Philadelphia and offers obstetrician/gynecology services for women. It was discovered that at one of the offices, a server and a workstation were infected with the virus. The purpose of this virus was to “block access to system files.”
“On May 16, 2017, we discovered that a server and workstation located at one of our practice locations had been infected by a virus designed to block access to system files. Upon discovering the virus, we immediately removed the infected server and workstation from our network and began an investigation” the statement posted on the clinic’s website read.
A deeper probe into the hack attack, in which hundreds of thousands of patients were affected, revealed that a security flaw in its systems encouraged external hackers to gain access to the systems. It is believed that the malware was inserted into the system through this flaw.
The healthcare organization initiated an investigation on its own in collaboration with computer forensics experts, but later the FBI was also informed. Forensic analysis indicated that the system was infected way back in January 2017.
The company maintains that the hacked server stored limited patient information. The type of information that may have been hacked include “patient’s name, address, date of birth, Social Security number, lab tests ordered and lab results, telephone number, gender, pregnancy status, medical record number, blood type, race, employer, insurance information, diagnosis, and physician’s name,” the statement on WHCGPA’s website claimed.
It is also being claimed that driver’s license, credit card or any other type of financial data was not hacked as it wasn’t stored on the infected server.
WHCGPA stated that virus did encrypt certain files which were promptly restored via the backup server. Hence, the statement read, the incident didn’t affect the organization’s regular operations, and none of the information was lost.
For those who were affected, the organization will be offering free credit monitoring for a year while a comprehensive internal review of the information security related procedures and practices of the clinic to ensure that such events are prevented in the future.
On July 15th, the Department of Health and Human Services was reported by the clinic about the hacking/IT incident. According to the analysis of the HHS Office for Civil Rights’ HIPAA Breach Reporting Tool website about 300,000 individuals were affected.