The Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, HI, suffered a ransomware attack on June 30, 2018. File-encrypting software was fitted on an FDIP server and encrypted a wide variety of file types, including patient medical records.
FDIP hired the services of a prominent cybersecurity business to carry out a complete inquiry into the breach to decide whether patient data was retrieved by the attackers and also to help with breach remediation. The inquiry didn’t disclose any proof to indicate that patients’ protected health information (PHI) was retrieved, seen, or stolen by the people behind the attack, even though it wasn’t possible to exclude data access and data theft with a high level of confidence.
As a result, the occurrence is being handled like a HIPAA breach, patients are being informed, and the Division of Health and Human Services’ Office for Civil Rights (OCR) has been informed.
An analysis of the files encrypted by the ransomware disclosed they had a variety of protected health information. Patients affected by the safety breach might have had their full name, account number, date of birth, home address, diagnoses, and “other kinds of information” disclosed. No financial information was disclosed as a consequence of the attack. The breach report presented to OCR shows 40,800 existing and former patients have been affected by the breach.
FDIP informs that swift action was taken to tackle the breach and get rid of the malevolent software and restore all encrypted files. Its systems have now been cleaned and no sign of any malware remains. Steps have also been taken to improve safety protections to avoid any more safety breaches and illegal revelations of patient data.
FDIP doesn’t expect patients to suffer any harm as a consequence of the ransomware attack, even though patients have been urged to contact FDIP instantly if they become conscious of any doubtful activity that they think is linked to the breach.
This is only the fifth data breach of over 500 files to have been informed to OCR by a Hawaii-based protected unit since data breach summaries first began being published by OCR in 2009.