A Colorado medical group is notifying patients of multiple cybersecurity hacks on its network within a single week.
Longs Peak Family Practice, a medical clinic in Longmont, Col., issued a privacy notice last week stating that on Nov. 5, the group discovered suspicious activity on its computer network and determined that a hacker had penetrated the network. The notice said that LPFP “immediately began investigating and took actions to attempt to secure the network, but the hacker executed malicious code within the network before it could be stopped. The malicious code included ransomware that encrypted certain files on our computers,” the notice read.
Then, on Nov. 10, the practice discovered a second hack into the network that did not involve ransomware. LPFP officials said that the organization hired an outside firm with forensic computer expertise to assist in the investigation to identify any malware and further investigate any unauthorized access that may have occurred because of the hacking activity.
The investigation revealed that there was no specific evidence that any data including patients’ health information was removed or accessed from the network, but that there was evidence of unauthorized access to some parts of the computer system on November 5, 9 and 10, the organization reported. What’s more, there wasn’t any evidence of any patient files being opened on the LPFP computers, but because some of the software installed by the hackers could have been used to download computer files and some files were encrypted, the practice cannot be completely sure that health information was not compromised.
The type of information that could have been compromised includes patients’ electronic charts, which may include full name, LPFP’s patient ID number, date of birth, address, phone numbers, email address, social security number, insurance carrier, insurance payment codes with associated costs, driver’s license, dates of service, clinical information including medical conditions, diagnoses, medications, labs and diagnostic studies, and copies of notes or reports by LPFP or other healthcare providers. The information did not include credit card or bank account information or invoices for medical services. Final statements for any accounts sent to a collection agency may have been involved, according to the privacy notice.
The medical group said that because of these incidents, it is making changes in regards to how its network is accessed. The notice read, “We have upgraded our system in consultation with seasoned IT professionals, including the purchase of a new enhanced firewall, and are further analyzing the tools and procedures we use to monitor and attempt to block malicious attempts to hack into our network. We are re-analyzing our network and our policies to attempt to further safeguard against potential threats. We are reinforcing and providing additional privacy and security training to all our workforce. We reported the hacking incidents to law enforcement for further investigation.”