PHI Potentially Compromised Due to Ransomware Attack on American Baptist Homes of the Midwest

American Baptist Homes of the Midwest (ABHM), an assisted living and assisted care facilities provider across the U.S Midwest, reported that a ransomware attack on its network resulted to a security breach.

The attack started some time on March 10, 2019. ABHM detected the attack promptly, but only after encryption started. The provider stopped the attack and secured the affected accounts, but file encryption was not prevented. The ransomware was able to encrypt files that contained the information of several ABHM clients.

The ransomware attack did not affect ABHM’s clinical and billing systems. Only the email accounts and general file systems were affected . It is believed that the attack was conducted to extort money from ABHM. However, because of the nature of attack, unauthorized access of protected health information (PHI) cannot be ruled out. To date, there’s no evidence received that PHI was misused or stolen.

The compromised servers and systems contained the following types of information: names and addresses combined with these data elements: financial data, Social Security numbers, diagnoses, laboratory test results, prescribed medicines and other medical data.

The ransomware attack impacted facilities in several locations including:

  • In Colorado: Mountain Vista Senior Living, Wheat Ridge; Health Center at Franklin Park, Denver
  • In Iowa: lm Crest Senior Living, Harlan; Crest Services – Cedar Rapids; Des Moines; Harlan; Ottumwa; and Chariton
  • In Minnesota: Thorne Crest Senior Living, Albert Lea; Crest Services- Albert Lea
  • In Nebraska: Maple Crest Health Center, Omaha
  • In South Dakota: Trail Ridge Senior Living, Sioux Falls
  • In Wisconsin: Tudor Oaks Senior Living, Muskego

A third-party data forensics firm assisted ABHM to successfully get rid of the ransomware from its networks and restore the encrypted data using backups.

To strengthen security and avoid more cyberattacks, ABHM hired a cybersecurity specialist to conduct a thorough risk assessment to determine possible risks and vulnerabilities. Technical security measures, such as strengthening of password specifications, using rate limiting to stop system brute force attacks and 24/7 system security monitoring, were implemented to secure all ABHM data.

ABHM already notified by mail all affected people and reported the incident to law enforcement and the HHS’ Office for Civil Rights (OCR).

The OCR breach portal has not published the incident yet. So, the exact number of people affected by the breach is currently unclear.