Ransomware attack on fetal diagnostic lab in HI

Sept. 14, 2018

Fetal Diagnostic Institute of the Pacific (“FDIP”) is provided the following public notice of breach of unsecured protected health information (“PHI”) to satisfy its obligations pursuant to 45 CFR § 164.406:

What happened: On June 30, 2018, FDIP became aware that it was the victim of a ransomware attack. Specifically, a malicious software accessed data stored on FDIP’s servers, including patient records, and encrypted it. FDIP engaged a leading cybersecurity firm and was able to successfully remove the malware and restore the data using backup files maintained for such a contingency. FDIP takes seriously our responsibility to protect the confidentiality of patients’ personal information. Our policies prohibit the improper use, access, or disclosure of patients’ confidential personal information.

Who and what information was involved: Data related to past and current patients of FDIP was potentially affected. While we have no evidence showing that any patient data was compromised, the cybersecurity firm was not able to definitively conclude whether any data was actually viewed or removed from FDIP’s servers. Accordingly, there is a possibility patients’ full name, date of birth, home address, account number, diagnosis, or other types of information may have been affected. FDIP does not store financial information such as credit card numbers.

What is being done: Because this access of PHI was not for the purpose of treatment, payment or healthcare operations, and did not fall within any of the exceptions to the general rule prohibiting use or disclosure of an individual’s PHI without written authorization as set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) regulations, it constituted a violation of HIPAA. As required by law, FDIP will report this incident to the U.S. Department of Health and Human Services. As described above, FDIP took immediate action to address the malware attack and restore all affected data.

The cybersecurity firm cleansed FDIP’s computer systems, confirmed that no malware remained, and implemented additional protections to help avoid any future incidents. We do not expect that patients will experience any harm from this unauthorized disclosure, and there is no action patients need to take at this time.

However, should any patient receive any suspicious communications or become aware of other activity they believe may be related to this event, please inform us immediately.

FDIP has the release

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...