The Women’s Health Care Group of Pennsylvania, with 45 offices throughout the state, has notified 300,000 of its patients that a ransomware attack has put their personal health information at risk for theft.
On May 16, 2017, the healthcare system discovered the infected server and workstation at one of its practices. Officials said the infected server and workstation were removed from the network, where officials then launched an investigation by a computer forensics team.
The investigation revealed the cybercriminals began hacking the system as early as January 2017 through a security vulnerability.
Officials stated that the security flaw allowed limited access to patient information before it encrypted certain files.
The health system couldn’t determine if patient information had been acquired or viewed.
The data stolen by external hackers included names, Social Security numbers, birth dates, pregnancy histories, blood type information, lab results, medical record numbers, insurance information and medical diagnoses.
Officials said the encrypted files were restored from a back-up server and did not disrupt patient care. However, with the stolen personal information, the criminals can easily create false IDs, insurance fraud, or simply sell it off on the dark web.
The health system has also filed a report with the FBI.
Given the sensitivity of the data and how valuable it is, Women’s Health Care Group did the right things once they found out about the data breach.
However, the efforts of the health group was unfortunately not enough nor in time.
This incident serves as another reminder for the importance of a comprehensive internal review and teaching your team best information security practices.
Healthcare organizations need to take every effort to prevent security breaches at all costs.