Ransomware attack on fetal diagnostic lab in HI

Sept. 14, 2018

Fetal Diagnostic Institute of the Pacific (“FDIP”) is provided the following public notice of breach of unsecured protected health information (“PHI”) to satisfy its obligations pursuant to 45 CFR § 164.406:

What happened: On June 30, 2018, FDIP became aware that it was the victim of a ransomware attack. Specifically, a malicious software accessed data stored on FDIP’s servers, including patient records, and encrypted it. FDIP engaged a leading cybersecurity firm and was able to successfully remove the malware and restore the data using backup files maintained for such a contingency. FDIP takes seriously our responsibility to protect the confidentiality of patients’ personal information. Our policies prohibit the improper use, access, or disclosure of patients’ confidential personal information.

Who and what information was involved: Data related to past and current patients of FDIP was potentially affected. While we have no evidence showing that any patient data was compromised, the cybersecurity firm was not able to definitively conclude whether any data was actually viewed or removed from FDIP’s servers. Accordingly, there is a possibility patients’ full name, date of birth, home address, account number, diagnosis, or other types of information may have been affected. FDIP does not store financial information such as credit card numbers.

What is being done: Because this access of PHI was not for the purpose of treatment, payment or healthcare operations, and did not fall within any of the exceptions to the general rule prohibiting use or disclosure of an individual’s PHI without written authorization as set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) regulations, it constituted a violation of HIPAA. As required by law, FDIP will report this incident to the U.S. Department of Health and Human Services. As described above, FDIP took immediate action to address the malware attack and restore all affected data.

The cybersecurity firm cleansed FDIP’s computer systems, confirmed that no malware remained, and implemented additional protections to help avoid any future incidents. We do not expect that patients will experience any harm from this unauthorized disclosure, and there is no action patients need to take at this time.

However, should any patient receive any suspicious communications or become aware of other activity they believe may be related to this event, please inform us immediately.

FDIP has the release