Data held hostage in bizarre Illinois breach

privacy and security - 213.47 Kb
An unauthorized user gained access to and encrypted the server of a small Midwestern surgical practice and essentially held the information hostage in exchange for the password needed to regain access to the server.

According to a release issued by Surgeons of Lake County in Libertyville, Ill., the practice learned of the incident on June 25 when it discovered that an unauthorized user had gained remote access to a server containing Surgeons' corporate email and EMRs. The unauthorized user posted a message on the server stating that the contents of the server had been encrypted and could only be accessed with a password that would only be supplied if Surgeons made the demanded payment. Upon receiving the demand, the server was turned off and has not been turned back on.

The practice contacted law enforcement and began an investigation of the incident.

The breach affected the records of more than 7,000 patients, according to the U.S. Department of Health and Human Services (HHS). Although it occurred in June, the breach wasn't widely reported until it was posted on HHS' list of data breaches affecting 500 or more individuals and on the Privacy Rights Clearinghouse site.

In the wake of the incident, Surgeons is undertaking additional measures to strengthen and enhance its protocols to ensure the security of patient records, according to its release. "Safeguarding every patient's personal information is a top priority at the Surgeons of Lake County," said Scott C. Otto, MD, president of the practice. "We are devoting significant people and technological resources to help protect patient confidentiality."

Surgeons believes that the intention of the unauthorized access was to extort payment from Surgeons, not to take patient information, and Surgeons is not aware of any reports that the information contained on the server has been misused as a result of this incident.

Regardless, the unauthorized user had the ability to access names, addresses, Social Security numbers, credit card numbers and certain medical information; and, as a result, Surgeons has mailed notification letters to individuals who may have been affected. Surgeons is offering them one year of free credit monitoring services, as well as call center support.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.