A ransomware attack on Betty Jean Kerr People’s Health Centers based in St Louis, MO happened on September 2, 2019 and so its health centers staff were unable to access some types of patient, provider, and personnel data.
Betty Jean Kerr People’s Health Centers detected the security incident on September 3 and notified law enforcement. The healthcare provider received a ransom demand but decided not to pay it. A third-party IT company helped to recover the data, but the recovery of the encrypted data was not possible. The encrypted information is deemed permanently lost, except if the security researchers developed a decryptor that could recover the files. It was not disclosed what type of ransomware the attackers used and if the backup data files were likewise encrypted.
The investigation results revealed that the types of information encrypted in the attack include patient names, addresses, birth dates, Social Security numbers, pharmacy information, medical insurance details, dental x-rays, and some clinical records. The patients affected by the ransomware attack got medical services at Betty Jean Kerr People’s Health Centers from 2011 to September 2, 2019. The ransomware attack had no impact on its electronic health record system.
Healthcare companies impacted by the breach wanted to be credentialed by People’s Health Centers from 2010 to September 2019. The information provided by those healthcare companies, such as names, location, and Social Security numbers, were likewise encrypted. The names, Social Security numbers and addresses of employees of People’s Health Centers from 2012 to September 2, 2019 were also encrypted.
People’s Health Centers has affirmed the encryption of information of the patients, providers, and employees, however, there’s no confirmation if the attackers viewed or copied any information during the ransomware attack. The people behind the attack are alleged to be from outside the U.S.A.
Altogether, the sensitive data of about 152,000 people were exposed. People’s Health Centers is providing 12 months of complimentary credit monitoring services to the people impacted by the security breach.