Data held hostage in bizarre Illinois breach

An unauthorized user gained access to and encrypted the server of a small Midwestern surgical practice and essentially held the information hostage in exchange for the password needed to regain access to the server.

According to a release issued by Surgeons of Lake County in Libertyville, Ill., the practice learned of the incident on June 25 when it discovered that an unauthorized user had gained remote access to a server containing Surgeons' corporate email and EMRs. The unauthorized user posted a message on the server stating that the contents of the server had been encrypted and could only be accessed with a password that would only be supplied if Surgeons made the demanded payment. Upon receiving the demand, the server was turned off and has not been turned back on.

The practice contacted law enforcement and began an investigation of the incident.

The breach affected the records of more than 7,000 patients, according to the U.S. Department of Health and Human Services (HHS). Although it occurred in June, the breach wasn't widely reported until it was posted on HHS' list of data breaches affecting 500 or more individuals and on the Privacy Rights Clearinghouse site.

In the wake of the incident, Surgeons is undertaking additional measures to strengthen and enhance its protocols to ensure the security of patient records, according to its release. "Safeguarding every patient's personal information is a top priority at the Surgeons of Lake County," said Scott C. Otto, MD, president of the practice. "We are devoting significant people and technological resources to help protect patient confidentiality."

Surgeons believes that the intention of the unauthorized access was to extort payment from Surgeons, not to take patient information, and Surgeons is not aware of any reports that the information contained on the server has been misused as a result of this incident.

Regardless, the unauthorized user had the ability to access names, addresses, Social Security numbers, credit card numbers and certain medical information; and, as a result, Surgeons has mailed notification letters to individuals who may have been affected. Surgeons is offering them one year of free credit monitoring services, as well as call center support.