A virus that prohibited access to files crippled IT systems at Centrelake Medical Group this past February.
It appears the virus was not ransomware, but it did deny access to data, according to executives of the healthcare organization, which has eight locations in California.
The organization’s breach notification letter does not include an offer of protective services to affected individuals, which are sometimes offered in similar incidents.
“Centrelake enourages affected individuals to remain vigilant against incidents of identity theft and fraud, and to seek to protect against possible identity theft or financial loss by regularly reviewing their financial account statements, credit reports and explanations of benefits for suspicious activity,” patients were told.
The company restored its system and got help from a forensics firm in determining the nature and scope of the attack.
“As part of our ongoing investigation, we determined this virus was introduced by an unknown third party that had access to certain servers on our information system, which contain personal and protected health information relating to current and former Centrelake patients,” according to the notification letter, which was sent to patients and business partners.
“After a review of available forensic evidence, we determined that suspicious activity began on our network on Jan. 9, 2019, lasting until the virus infection on Feb. 19, 2019.”
While Centrelake asserts there is no evidence that the third-party viewed or took patient information stored on systems, the organization did confirm that impacted servers held files and software applications that may have included names, addresses, phone numbers, services, diagnoses, drivers’ license numbers, health insurance information, referring provider information, medical record numbers, dates of service and Social Security numbers.
In the notification letter, the organization did not publicly disclose how many patients were affected, but that information is mandated to be sent to the HHS Office for Civil Rights, which enforces HIPAA rules and maintains a data breach website. Centrelake could run afoul of OCR, which is encouraging organizations to offer protective services.