A large family-owned Maryland-based nursing home organization recently reported that it had experienced a ransomware attack on June 6, affecting almost 50,000 residents in its facilities throughout the state. The owners notified the FBI and hired a team of security experts to evaluate the extent of the breach and the type of information the attackers accessed. Among the private information accessed were Social Security numbers, dates of birth, addresses, treatments, and health diagnoses.
There is concern regarding the potentially harmful effects that identity fraud and medical identity theft could have on residents due to the thieves getting access to their Social Security numbers and dates of birth.
The nursing home organization notified by letter all of the residents who were possibly impacted by the attack on June 16, 10 days after the incident occurred. A company representative issued this statement: “The letters include information about the incident and about steps that can be taken to protect personal information.”
The company is also offering complimentary credit monitoring and identity protection services for its residents, and it has also set up a call center to provide needed assistance.
When the nursing home organization refused to pay the ransom, the attacker leaked some of the information. The attack has been attributed to what is being called the “Netwalker” ransomware gang.
Compliance Perspective
Issue
Failure to protect the private health information (PHI) of residents, as required by the Health Insurance Portability and Accountability Act (HIPAA), that results in breaches due to ransomware attacks and potentially serious harm from criminal acts committed using that PHI, may be deemed by regulators as a violation of state and federal regulations.
Discussion Points
- Review policies and procedures addressing HIPAA to ensure that they are complete, appropriate, and comply with the provisions of the Security Rule.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Security Rule, particularly the requirements for conducting risk analysis described in the security management process.
- Periodically audit to ensure that the organization is updating and implementing security policies and procedures appropriately in response to environmental or organizational changes that affect the security of electronic protected health information (ePHI). See: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
FOR MORE INFORMATION ON THIS TOPIC view: UNDERSTANDING AND PREVENTING RANSOMWARE, APTS, AND ZERO DAY EXPLOIT ATTACKS.