Desert Wells Family Medicine, a local Arizona medical practice, recently permanently lost its electronic health record system (EHR) due to a cyber-attack (reference). The worst part? They did have the EHR data backed up, but everything was still lost.
In a growing phenomenon among cyber-attacks, the ransomware attack successfully encrypted both the original EHR files and the backup EHR files. While we often preach the importance of backing up essential data, in this case, even backups were compromised, posing a much larger problem.
Among the EHR data, the protected health information records of 35,000 patients were compromised. Sensitive data included treatment information, social security numbers, medical record numbers, billing account numbers, addresses, dates of birth, patient names, and more.
Despite all efforts to recover the compromised data, including hiring external specialists, nothing has been successful. The data remains lost. The practice has been forced to completely reconstruct its EHR records- a timely, costly, and grueling process.
In short, some ransomware attacks are unavoidable. However, many can be avoided. The process of encrypting both the primary EHR data and the backup EHR data was a two-part attack. With processes like high-end threat monitoring, it’s possible the attack could have been impeded before it reached the EHR backups. As with all organizations that are victims of ransomware attacks, it’s necessary to take a deep look in the mirror and evaluate organizational security practices.
If you are a medical practice looking to enhance your IT security, PK Tech can help. We are highly experienced working with medical practices and fully equipped to navigate ever-changing HIPAA laws. PK Tech owns Compliancy Group’s HIPAA Seal of Compliance. You can also check out our HIPAA Technology Survival Guide and 4 Quality HIPAA Resources for Your Business.
Reach out to PK Tech if we can help.