Paubox blog: HIPAA compliant email made easy

Ransomware attack on Ohio hospital affects nearly 8,000 patients

Written by Kapua Iao | August 21, 2020

A recent ransomware attack on an Ohio-based hospital highlights the importance of utilizing HIPAA compliant email. Muskingum Valley Health Centers (MVHC) sent a letter to affected patients on July 31 to inform them of a ransomware attack on the electronic medical record (EMR) system of OB/GYN Specialists of Southeastern Ohio Inc. Before sending this notice, MVHC took the server containing the EMR system offline and began an internal investigation. It also hired an external cybersecurity firm.

 

Who was affected by the ransomware attack?

According to the cybersecurity firm MVHC hired, a ransomware attack May 31 “encrypted three systems of OB/GYN Specialists, including the server containing patient records for the period of 2012-2017.” Subsequently, an employee discovered the ransomware on June 2. Exposed protected health information (PHI) may include demographic, clinical, and financial information such as:

 

Demographic information Clinical Information Financial Information
Patient names Diagnoses/conditions Claims information
Date of birth Lab results  
Addresses Medications  
  Other treatment information  

 

RELATED: Is a Name PHI? Unfortunately, MVHC also assumes the breach exposed social security numbers but not bank/credit card account information. As reported to the U.S. Department of Health & Human Services Office for Civil Rights (OCR), the breach affected 7,447 individuals.

 

What steps were taken by MVHC after the breach?

MVHC explains in its notice that there is “no evidence that the data was exfiltrated (copied or transferred).” In other words, the hospital believes there is no opportunity for the threat actor to use or publicly disclose PHI. Nevertheless, MVHC offered all affected individuals identity theft protection services along with recommended steps to follow. And given that a threat actor did breach its system, MVHC:
  • Revised its security policies and procedures
  • Strengthened password requirements
  • Updated its security risk analysis

There is no mention of updated employee awareness training.

 

How harmful is ransomware?

Ransomware is malware used to deny a victim access to a system (mostly through encryption) until a ransom is paid.

RELATED: The Costs of Ransomware Attacks

MVHC confirms that three of its systems were encrypted, but they did not confirm if there was a ransom demand or how the ransomware first got onto the servers. Ransomware is harmful to any business/organization, and according to the Verizon 2020 Data Breach Investigations Report, it is on the rise. Specifically for healthcare organizations, INTERPOL’s Secretary General Jürgen Stock states that locking a hospital’s system could lead to delayed care. Moreover, a recent study in the Journal of General Internal Medicine found that patients withheld information to avoid PHI exposure. OCR lists over 1.13 million individuals affected by cyberattacks in July 2020, with the majority coming from hacking/IT incidents. While not the biggest healthcare breach in July, MVHC’s still demonstrates the need for solid cybersecurity.

 

How can strong email security help?

Overall, vigilance and email security are critical to helping healthcare organizations avoid HIPAA violations. That’s why organizations choose Paubox Email Suite Plus to send HIPAA compliant email directly to patient’s inboxes (no password or portal required) and to protect themselves from cyberattacks with robust inbound security tools such as ExecProtect and spam filtering. Paubox Email Suite Plus seamlessly integrates with a customer’s existing email provider to send encrypted email by default; no change in user behavior is required once it is configured. Stop ransomware from infecting your systems, locking critical information, and worrying patients.

 

Try Paubox Email Suite Plus for FREE today.