The Arkansas Oral and Facial Surgery Center, with clinics in Springdale, Fayetteville and Harrison, posted a notice to patients that its computer network had been impacted by ransomware.
In the notice, posted on the organization’s website, Arkansas Oral and Facial Surgery Center said the incident was discovered July 26, 2017 and organization leaders began an investigation, which revealed that the ransomware had been installed on its systems by an unauthorized individual at some point earlier that morning or the evening before.
“As you may be aware, healthcare organizations and other types of companies across the country have been affected by similar types of ransomware cyber attacks and we believe that the motivation behind this incident was extortion, and not the theft of patient information. We have notified the FBI of this incident,” the organization said in its notification letter.
The incident was reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which posted the incident to the breach portal as a hacking/IT incident that impacted 128,000 individuals.
In its notification letter, the organization stated, “Except for a relatively limited set of patients, our patient information database was not affected by the ransomware, however, imaging files, such as x-rays, and other documents such as attachments were impacted. While our investigation into the matter continues, it does not appear that patient information was stolen from our system.”
However, the organization stated that the ransomware has rendered the imaging files and documents inaccessible. “Based on our present investigation, it also appears that the ransomware rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident. Because we are unable to determine with reasonable certainty whether or not the perpetrator(s) placing the ransomware on our systems accessed patient information, and due to the impact on the availability of images and other files, we are providing you with notification of this incident,” the notification letter stated.
From its investigation to date, the organization it believes information contained in the affected files included attachments and radiographs that might include demographic information such as patient names, addresses, dates of birth, and Social Security numbers and clinical information such as diagnosis, treatment plans or conditions and other information such as health insurance information.
Following the incident, the organization said it has implemented a new record system, and has arranged for credit monitoring protection for its patients, for 12 months at no cost.