Potential PHI Breach Due to Office Server Ransomware Attack and Optometry Records Room Unauthorized Access

Ransomware Attack on Office Server

Paramus, NJ Orthopedic surgeon, Ronald Snyder, M.D. discovered that an office server was under ransomware attack. The patient billing data contained in the office server was encrypted and compromised.

Because of the ransomware attack on January 9, 2019, office staff cannot access patient records. Thanks to the regular server backups, encrypted files were easily restored and no ransom demand was paid.

Even with the help of third-party computer forensics experts in investigating the breach, it can’t be ascertained if the attacker accessed patient information after the ransomware attack.

The investigators did not find any evidence suggesting that the attack was an attempt to access patient information. Because it can’t be 100% certain that there was no data access, all patients impacted by the breach impacted received breach notifications by mail.

The server files contained the following types of information: names, birth dates, genders, addresses, email addresses, telephone numbers, co-pay amounts, job statuses and patient statuses. The insurance identification number of some patients, which used their Social Security numbers to create, was also contained in the files. After the breach, additional safety measures were enforced to avoid another similar breach.

It is still unknown how many patients the breach affected.

Unauthorized Access of the Records Room

Gardner Family Health Network notified 5,064 patients regarding the unauthorized person who gained access to the optometry records room of Gardner St. James clinic.

Gardner discovered the unauthorized access on February 19, 2019. It is uncertain why the person accessed the room or what he did inside. However, it is likely that the person viewed patient records.

As a safety measure, Gardner Family Health sent notification to all 5,064 patients whose information was potentially viewed. The patient records include the following types of information: names, addresses, birth dates, telephone numbers, medical record numbers, and consultation dates, times and locations.

Gardner Family Health made improvements to their clinics’ physical security to stop the same breaches from happening in the future.