August 23, 2018


Central Colorado Dermatology (CCD) has informed over 4,000 patients that some of their protected health information (PHI) has possibly been retrieved by hackers during a ransomware attack on its computer system.

An illegal person accessed CCD’s computer system and installed ransomware on a server. Medical files and patients’ medical charts were not retrieved, even though certain records and scanned fax communications were encoded. A few of those records had PHI.

An inquiry was launched to decide whether protected health information was retrieved or thieved even though it was not possible to decide with a high level of confidence whether any PHI was copied or viewed. CCD didn’t disclose any proof to indicate that PHI had been stolen or accessed, even though some of the software that had been fitted on its system might have permitted records to be downloaded.

The records that might have been retrieved including the following information: Names, addresses, dates of birth, email addresses, Insurance information, dates of service, clinical information, medical conditions, treatment information, diagnostic studies, lab test results, findings, contact telephone numbers, Social Security numbers, insurance payment codes and costs, copies of CCD reports and notes, and information sent to CCD from other healthcare suppliers by fax.

The inquiry decided that distant access was gained to a single server on June 5, 2018 and ransomware was installed the same day.

Upon detection of the attack, steps were taken to safeguard the network and obstruct distant access and a cybersecurity company was engaged to probe the attack. After systems were secured and the malevolent software was detached, the cybersecurity company carried on to check the network for many weeks to make sure that no more efforts were made to access the system. During that time, no more incursions were noticed and no doubtful network activity was known.

In reaction to the attack, CCD has altered its password requirements and how its network can be retrieved, new anti-virus software has been fitted, and more upgrades to system safety have been made. That process is ongoing, guided by IT safety experts. Modifications have also been made to its fax software to make sure that digital copies of faxes are not automatically stowed on its network.

Since illegal PHI access and theft of records could not be ruled out, notice letters were sent to all 4,065 patients whose PHI might possibly have been retrieved. All patients affected by the break have been offered one year of credit checking facilities.