Pacific Alliance Medical Center (PAMC), a hospital based in Los Angeles, suffered a ransomware attack to its servers in June. In a media briefing held by the medical firm, PAMC stated that its IT staff were successful in removing the ransomware virus to decrypt the data. However, officials said that the investigation could not rule out whether patient data was accessed or not.
Unauthorized access to files containing PHI
On June 14th, the hospital discovered its servers were compromised when files began to be encrypted without authorized access. PAMC immediately turned to its emergency incident and recovery procedures and shut down the infected networked computer systems to prevent spreading the virus. The healthcare provider’s IT team conducted the initial investigation. The investigation revealed that several PAMC computers were impacted in the attack. Officials have stated that the virus was removed and the data was decrypted. PAMC has also notified the 266,123 affected individuals (with no breach notification delay due to the investigation) and reported the case to the FBI. However, the notice to the patients did not mention whether PAMC paid the ransom.
Unclear whether patient data was viewed or stolen
Officials said the investigation couldn’t rule out whether the patient data were viewed or stolen by the ransomware attack, although the organization didn’t uncover evidence to suggest the data was stolen. The lack of evidence is not unusual, though, as ransomware attacks typically do not involve stealing data (despite the high black market rate for stolen healthcare data). The impacted PAMC servers contained identifying personal and medical information such as names, demographic details, social security numbers, birth dates, employment information, insurance details, diagnoses, medical images and more. Thankfully, no financial information was included. PAMC officials contacted the FBI, the California Department of Public Health, California Attorney General and the U.S. Department of Health and Human Services Office for Civil Rights.
Changes to OCR's Reporting Requirements
In 2016, the OCR changed its reporting requirements to place burden of proof on providers. Because of this change, Pacific Alliance Medical Center is taking the cautious approach to ransomware breach reporting. The changes emphasize that providers must determine with certainty that hackers were unable to access data during the ransomware attack. PAMC's ransomware attacks serves as a reminder that it's better to be safe than sorry by having secure cybersecurity measures in place.