The attack on MHD stemmed from a ransomware attack on Marin Medical Practices Concepts, the health system’s medical billing and electronic medical record services vendor. The breach occurred on July 26.
MHD reported the attack on September 28, when it notified its 5,000 patients some of their medical data was lost during the attack. According to officials, Marin providers were unable to access patient data for more than a week. The computer systems are back online, but the provider lost two weeks of backup data.
A third-party forensic investigation determined there was no evidence patient data, including financial and health information was accessed. However, officials said due to a failure in MMPC’s backup systems during restoration, patient data collected at MHD’s nine medical centers between July 11-26 was lost. Diagnostic test results weren’t lost, and patients don’t need to be re-tested.
MMPC’s CEO Lynn Mitchell told the Marin Independent Journal that the ransom was paid, but said the amount will not be disclosed.
Meanwhile, the six sites of the New Jersey Spine Center were attacked by Cryptowall ransomware on July 27, 2016. It encrypted not only the electronic health record, but also the backup files and phone system. According to officials, the antivirus software detected the virus only after the ransomware was installed.
Hackers likely gained access through a list of stolen passwords run by an automated program. As the organization’s backup files were inaccessible and there’s currently no decryptor for this ransomware variant, officials said there was no alternative but to pay the cybercriminals. The amount paid wasn’t disclosed.
Some 28,000 patients were affected by the breach, according to the breach report sent to the Department of Health and Human Services’ Office for Civil Rights. The FBI and local authorities were also notified of the breach.
Officials said there is no evidence that suggests patient data like Social Security numbers, credit card data and medical history was stolen, but there’s no way to rule out unauthorized access. The organization is offering patients one year of free credit monitoring.