Data Breach Today reported that Urology Austin (UA) in Texas became a victim of a ransomware attack on January 22, 2017. The attack encrypted the stored data on UA’s servers. The breach affected the medical information of close to 280,000 patients, including names, addresses, birthdates, and social security numbers. The incident affected legacy applications and data, so former patients may also receive notifications. UA offered the affected patients free credit and identity monitoring for a year.
The breach happened on a Sunday. UA’s external and internal IT teams discovered the breach within minutes and shut the network down. The IT teams mitigated the damage by wiping the servers clean and restoring the data. UA had a backup plan to restore data quickly, and the restoration process took about a day.
To restore operations, UA’s IT team needed to wipe the server. Unfortunately, the IT team did not determine the type of ransomware used in the attack. However, UA’s attorney confirmed that it did not pay a ransom.
UA did not specify how its systems became infected. However, UA submitted a breach notice to the California attorney general. The notice indicated that an employee was a victim of a phishing attack. UA also reported that employees would be retrained regarding suspicious emails.
Is Ransomware A Breach?
HIPAA Journal explained that ransomware usually “blindly encrypts data.” The intention is to cause a major disruption to the business and force it to pay a ransom to unlock the encryption. In these types of attacks, the attackers usually do not access or steal data, which means the risk is low that protected health information (PHI) was accessed or stolen in the UA breach. However, according to the federal Ransomware Fact Sheet, the majority of ransomware attacks cause a breach of PHI, which must be reported unless a low probability of risk can be properly demonstrated.
Although UA’s data was not accessed or stolen, the breach may have violated various federal and state breach laws. On the federal level, UA is a covered entity under HIPAA, so it is required to report compromised PHI. On the state level, Texas has a data breach law that UA must follow. Texas defines a “breach of system security” as “unauthorized acquisition of computerized data” and includes “data that is encrypted if the person accessing the data has the key required to decrypt the data.” Additionally, many other states have data breach laws that cover patients outside of the state.
UA management did not contact law enforcement because they determined that no data was stolen, but they reported the breach to various agencies. UA is featured on the Wall of Shame on the HHS website.