The Fetal Diagnostic Institute of the Pacific (FDIP) based in Honolulu, Hawaii was attacked by ransomware on June 30, 2018. This resulted to the installation of a file-encrypting software on a server, which encrypted different types of files including patient health records.
FDIP hired a top rated cybersecurity firm to investigate the breach and figure out if the attackers accessed the patient’s protected heath information (PHI). It is also expected that they assist with breach mitigation. So far, there was no evidence uncovered that suggest that the attackers accessed, viewed, or stole the patients’ PHI. However, it cannot be ruled out that data access or data theft did not occur. Subsequently, FDIP notified the affected patients and the Department of Health and Human Services’ Office for Civil Rights (OCR) concerning this HIPAA breach.
The files encrypted by the ransomware were subjected to analysis and showed they included patient PHI. The information of patients that may have been exposed included full names, addresses, dates of birth, diagnoses, account numbers and “other types of information.” Financial information was not included in the encrypted files. As per the data breach report, 40,800 past and present patients were affected by the breach.
FDIP reported that they took action immediately to deal with the breach and eliminate the malicious software program from the system and recover all encrypted files. As of this time, all systems were clean and no malware remains. Security protections were further improved to avoid security breaches and unauthorized access of patient data in the future.
It is unlikely that patients will experience any damages resulting from the ransomware attack. However, patients were advised to contact FDIP right away should there be any suspicious activity that is related to the data breach. Since 2009, this is just the fifth data breach with over 500 records that a Hawaii-based covered entity reported to OCR.