500,000 affected in ransomware attack on home medical equipment supplier

Airway Oxygen discovered the breach in April when a hacker gained access to the network.
By Jessica Davis
11:45 AM
ransomware attack medical equipment

Michigan-based Airway Oxygen was hit by a ransomware attack in April that may have compromised the data of 500,000 clients, the home medical equipment supplier reported to the U.S. Department of Health and Human Services on Friday.

Airway Oxygen reported the breach to the Vermont Attorney General’s office earlier this month.

According to the official notification, Airway Oxygen discovered the breach on April 18. The hacker gained access to the network and installed ransomware, which shut employees out of the system. Personal health information was stored on the affected network.

[Also: The biggest healthcare breaches of 2017 (so far)]

Officials said there is currently no evidence patient data was accessed.

Affected data contained names, addresses, birthdates, phone numbers, diagnosis, service type and health insurance data. Officials said Social Security numbers, credit card numbers and bank account information were not included.

However, this type of data is most commonly used for medical fraud.

[Also: How 3 hospital breaches went undetected for more than 3 years]

Following the discovery of the breach, Airway Oxygen performed an internal scan on its system, changed passwords for all users, vendors and applications, reviewed the firewall, updated and deployed security tools and installed monitoring software to issue alerts of suspicious activity.

Further, the company hired a cybersecurity firm to investigate the cause and impact of the breach.

The ransomware attack on Airway Oxygen is a reminder how crucial it is for organizations to put these tools in place before an attack.

“Clearly there is a trend, not surprisingly, where many companies are devoting more money to the organization after an incident,” Executive Vice President of Crisis and Risk Management of public relations firm Edelman, Andrew Liuzzi said.

“But there is a natural benefit to having all of [these security needs] in place before an attack occurs,” he continued. “There’s no amount of technology that can account for human error or deceptions when it comes to suspicious emails… Don’t wait for a breach to occur: Be proactive.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.