Riverplace Counselling Centre is notifying 11,639 patients of a data security incident following the discovery of malware on its systems.
Riverplace Counselling Center in Anoka, Minnesota, discovered the malware infection on January 20, 2019. Riverplace contracted a third-party forensic cybersecurity firm to remove the malware and restore its systems from backups. The analysis was completed on February 18, 2019.
The investigators did not uncover any evidence to suggested an unauthorised individual accessed, copied, or altered patient information. However, they could not rule out the possibility that sensitive patient data had been accessed.
The types of information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information.
Following HIPAA’s Breach Notification Rule, all affected individuals were sent breach notification letters on April 11, 2019. Riverside has offered identity theft monitoring services via Kroll for 12 months at no cost. The facility has not received any reports to date that patient PHI has been misused. They have also established a toll-free number for individuals to contact the facility over concerns related to the data breach.
Riverplace Counseling Center has not publicly disclosed what type of malware was involved, nor how the malware was installed on its systems.
In a statement placed on its website, Riverside has said: “We take the privacy and security of all information in our control very seriously, and we want to assure you that we are taking steps to prevent a similar event from occurring in the future. These steps include implementing additional technical safeguards including additional spam filters, firewalls and antivirus software system-wide; providing additional staff training on identifying unauthorised access; and securing a specialised cybersecurity firm to further assist us in implementing system-wide policies and procedures to help prevent a similar incident from occurring in the future.”
Riverside has also consulted with a cybersecurity firm which is providing recommendations on new system-wide policies and procedures to enhance security further.
According to the breach summary on the Department of Health and Human Services’ Office for Civil Rights website, up to 11,639 patients’ PHI was potentially compromised.