Potential PHI Exposure Due to Cyberattacks on Pediatric Physicians’ Organization at Children and Central Kansas Orthopedic Group

The Pediatric Physicians’ Organization at Children (PPOC) encountered a malware attack on February 10, 2020, causing a system outage. 500+ pediatricians, doctor assistants and nurse practitioners were not able to access patient data and consultation calendar. The PPOC is a physician group affiliated with Boston Children’s Hospital.

PPOC has approximately 200 servers. The malware attack didn’t affect 11 PPOC’s servers. IT personnel at PPOC and Boston Children’s Hospital took action without delay to stop the malware and quarantined the infected servers. As a safety precaution, even the unaffected servers were deactivated. Boston Children’s Hospital published a statement saying the attack didn’t affect its systems.

Because it was not possible to gain access to patient medical records, PPOC informed the patients that non-urgent visits will be rescheduled until the malware has been totally removed and PPOC has reactivated the servers. Children’s Hospital issued a statement on February 12, 2020, that servers restoration is still in progress. But there is no certain date when the restoration will be finished.

PPOC has over 100 practices all over Massachusetts and serves more than 350,000 patients. The malware variant employed in the attack is still unidentified. It is likewise uncertain whether the hackers viewed patient information.

Central Kansas Orthopedic Group Ransomware Attack

Central Kansas Orthopedic Group (CKOG) located in Great Bend, KS experienced a ransomware attack in November 2019 and its patient files were encrypted.

CKOG found out about the ransomware attack on November 11, 2019. The attackers sent a ransom demand but CKOG refused to give any ransom payment. Nevertheless, CKOG successfully retrieved all encrypted files, including patient medical records, using its backups.

The attack was investigated by a third-party forensic group to confirm if the threat actors had viewed or copied patient information prior to deploying the ransomware. The investigators found no proof of access or theft of patient information by hackers. There is likewise no report filed concerning data misuse.

It’s possible that the attackers had accessed these types of data: names, birth dates, email addresses, addresses, state-issued ID numbers, Social Security numbers, driver’s license numbers, medical data related to treatment services provided by CKOG, and healthcare insurance information. CKOG mailed notification letters to all affected patients and offered them identity theft protection services from ID Experts.

CKOG is checking its security platform and applying additional security protocols to reinforce its security posture.

There were 17,214 patients possibly affected by attacked as posted in HHS’ Office for Civil Rights breach portal.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone