Over 200K Patients’ Data Affected by Ransomware Attack on Medical Imaging Company
by Ryan Ozawa
An Arizona-based digital medical imaging company found its electronic medical records (EMR) system encrypted with ransomware earlier this year, potentially affecting 244,813 of its patients.
About Assured Imaging
Assured Imaging, also known as Assured Imaging Women’s Wellness, is one of the nation’s largest providers of mobile digital mammography, available in more than 60 offices across eight states.
The company’s self-contained mobile imaging motor coaches allow healthcare providers to quickly and easily add digital mammography to their offerings.
According to the company’s public notice, an unknown actor accessed its systems between May 15, 2020 and May 17, 2020 and removed “certain, limited data.” Two days later, its EMR system was encrypted by an attacker and made inaccessible across the company.
Assured Imaging’s parent company Rezolut describes the tool used as ransomware, but does not say whether the attacker contacted the company or made any demands.
The company says it worked quickly to restore access to its patient information and initiated an investigation with the help of independent, third-party computer forensic specialists. This investigation concluded on July 1.
What information was exposed?
In addition to names, addresses, and birthdates, the company’s EMR contained information including patient numbers, clinicians and facilities visited, patient medical history, services performed, and future test recommendations.
This protected health information (PHI) may not have been what the attacker was after, but its potential disclosure is of great concern to government regulators, who work diligently to ensure compliance with HIPAA.
“We are unaware that any of the information was misused by the unknown actor,” the notice says.
How did Assured Imaging respond?
Assured Imaging performed a comprehensive review of all information stored in its systems at the time of the incident to identify the individuals whose information may have been breached. The company then worked to determine the identities and contact information for patients who may be impacted.
Since the attack, the company says it is reviewing its policies and procedures and implementing additional information security safeguards. It also, as required, notified the U.S. Department of Health and Human Services. This landed Assured Imaging on the HHS’s “wall of shame.”
Meanwhile, the company has been encouraging its customers to “remain vigilant against incidents of identity theft.” The official notice included an entire section titled, “Steps You Can Take to Protect Your Information,” including reviewing credit reports, and requesting a “security freeze” or “fraud alert” be placed on accounts by consumer reporting agencies like Experian, TransUnion, or Equifax.
Because Assured Imaging provides services in several states, including New York, Maryland, Rhode Island, North Carolina, and New Mexico, it provided region-specific recommendations as well.
How can attacks like this be avoided?
The objective of ransomware attacks is usually to persuade victims to pay money to regain access to their information. Because this information can include health information, ransomware attacks should always be treated like HIPAA data breaches.
Email is the most common threat vector that cyber criminals use to bypass a company’s security. So a HIPAA compliant email service like Paubox Email Suite Premium is a smart investment. It includes inbound security features such as our patent-pending ExecProtect, data loss prevention (DLP) tools, and email archiving features.