Wisconsin Urology Group Notifies Patients of Data Breach Due to Ransomware Attack

Wauwatosa, Wis.-based Metropolitan Urology Group has notified its patients of a breach of unsecured patient health information due to a ransomware attack back in November 2016.

According to a statement on the medical group’s website, on January 10^th, 2017, Metropolitan Urology Group (MUG) was made aware that a ransomware attack that occurred November 28, 2016 exposed certain patient health information to the hackers who infected two MUG servers with the ransomware virus.

According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, the breach affected the protected health information (PHI) of 17,634 individuals, and the breach notification was submitted to OCR on March 10^th. The incident was categorized as hacking/IT incident on a network server.

“MUG has been working with a premier, international information technology firm to remove the ransomware virus and is taking steps to ensure that such attacks never occur again. MUG has blocked all traffic from accessing the affected servers,” the medical group stated. Further, the medical group wrote in the statement, “MUG has installed the best firewall protection and secure email system. It is protecting all devices used by MUG employees, and updating its policies and procedures to reflect these technological changes. MUG is also conducting a risk analysis of its information technology system to detect any other vulnerabilities that may exist so it can quickly correct them. Both MUG and its information technology vendor, Digicorp, will be undergoing training on information security.”

The information exposed relates to services provided to patients by MUG between 2003 and 2010 and includes patient first and last name, procedure codes, dates of service, patient account number or patient control number and provider identification number. Less than five patients also had the social security numbers exposed.

The medical group is offering all affected patients free credit monitoring for a year. It has also established a call center to answer questions from patients.