152,000 Patients Affected by the Betty Jean Kerr People’s Health Centers Ransomware Attack

A ransomware attack on Betty Jean Kerr People’s Health Centers based in St Louis, MO happened on September 2, 2019 and so its health centers staff were unable to access some types of patient, provider, and personnel data.

Betty Jean Kerr People’s Health Centers detected the security incident on September 3 and notified law enforcement. The healthcare provider received a ransom demand but decided not to pay it. A third-party IT company helped to recover the data, but the recovery of the encrypted data was not possible. The encrypted information is deemed permanently lost, except if the security researchers developed a decryptor that could recover the files. It was not disclosed what type of ransomware the attackers used and if the backup data files were likewise encrypted.

The investigation results revealed that the types of information encrypted in the attack include patient names, addresses, birth dates, Social Security numbers, pharmacy information, medical insurance details, dental x-rays, and some clinical records. The patients affected by the ransomware attack got medical services at Betty Jean Kerr People’s Health Centers from 2011 to September 2, 2019. The ransomware attack had no impact on its electronic health record system.

Healthcare companies impacted by the breach wanted to be credentialed by People’s Health Centers from 2010 to September 2019. The information provided by those healthcare companies, such as names, location, and Social Security numbers, were likewise encrypted. The names, Social Security numbers and addresses of employees of People’s Health Centers from 2012 to September 2, 2019 were also encrypted.

People’s Health Centers has affirmed the encryption of information of the patients, providers, and employees, however, there’s no confirmation if the attackers viewed or copied any information during the ransomware attack. The people behind the attack are alleged to be from outside the U.S.A.

Altogether, the sensitive data of about 152,000 people were exposed. People’s Health Centers is providing 12 months of complimentary credit monitoring services to the people impacted by the security breach.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone