Data held hostage in bizarre Illinois breach

privacy and security - 213.47 Kb
An unauthorized user gained access to and encrypted the server of a small Midwestern surgical practice and essentially held the information hostage in exchange for the password needed to regain access to the server.

According to a release issued by Surgeons of Lake County in Libertyville, Ill., the practice learned of the incident on June 25 when it discovered that an unauthorized user had gained remote access to a server containing Surgeons' corporate email and EMRs. The unauthorized user posted a message on the server stating that the contents of the server had been encrypted and could only be accessed with a password that would only be supplied if Surgeons made the demanded payment. Upon receiving the demand, the server was turned off and has not been turned back on.

The practice contacted law enforcement and began an investigation of the incident.

The breach affected the records of more than 7,000 patients, according to the U.S. Department of Health and Human Services (HHS). Although it occurred in June, the breach wasn't widely reported until it was posted on HHS' list of data breaches affecting 500 or more individuals and on the Privacy Rights Clearinghouse site.

In the wake of the incident, Surgeons is undertaking additional measures to strengthen and enhance its protocols to ensure the security of patient records, according to its release. "Safeguarding every patient's personal information is a top priority at the Surgeons of Lake County," said Scott C. Otto, MD, president of the practice. "We are devoting significant people and technological resources to help protect patient confidentiality."

Surgeons believes that the intention of the unauthorized access was to extort payment from Surgeons, not to take patient information, and Surgeons is not aware of any reports that the information contained on the server has been misused as a result of this incident.

Regardless, the unauthorized user had the ability to access names, addresses, Social Security numbers, credit card numbers and certain medical information; and, as a result, Surgeons has mailed notification letters to individuals who may have been affected. Surgeons is offering them one year of free credit monitoring services, as well as call center support.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

If the Trump administration continues taking a laissez-faire stance toward AI—including AI used in healthcare—why not let the states go it alone on regulating the technology? 

Boston Scientific has announced another significant M&A deal, scooping up an Israeli medtech company focused on RDN technology. 

Harvard’s David A. Rosman, MD, MBA, explains how moving imaging outside of hospitals could save billions of dollars for U.S. healthcare.