Atlanta clinic finds 15-month breach during investigation on separate ransomware attack
Peachtree Neurological Clinic discovered a 15-month breach in the process of investigating a recent ransomware incident, the Atlanta-based provider announced this week.
While PNC officials did not disclose when the most recent ransomware attack occurred, its electronic health record system was encrypted by the virus. Instead of paying the ransomware, officials were able to restore the files and functionality from backup records.
Officials have since repeated system scans and found no further trace of ransomware. Further, there was no evidence the virus exfiltrated data.
However, this investigation uncovered a separate massive breach: A hacker had access to the system between February 2016 to May 2017. Officials said the possible data accessed by the hackers may contain names, Social Security numbers, driver’s licenses, addresses, phone numbers, medical data, prescriptions and or health insurance data.
The investigation was unable to determine whether patient access was viewed or acquired. Patients are being notified of the breach and offering identity theft protection services. PNC also reported the incident to law enforcement.
"We take patient privacy seriously and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected," PNC Managing Partner Lawrence Seiden, MD, said in a statement.
Update July 24, 2017: According to the Department of Health and Human Services’ breach tool, 176,295 patients were impacted by the breach.