The Southeastern Council on Alcoholism and Drug Dependence is notifying 25,000 patients that their PHI has been compromised in a ransomware attack.
SCADD, based in Lebanon, Connecticut, first detected disruptions to their network on February 18, 2019. An investigation was immediately launched, which revealed that ransomware had been installed on its system. The attack resulted in widespread encryption of patient files.
Ransomware is malware variant which denies the user access to their device, or individual files on the device until a ransom has been paid to the scammer. Ransomware attacks are becoming increasingly common, particularly against organisations in the healthcare industry due to the high black-market of healthcare data.
The investigators determined that the files included information including patient names, addresses, Social Security numbers, medical histories, and treatment information. SCADD contracted a third-party cybersecurity company to assist with the breach investigation.
The investigators did not uncover any evidence to suggest that the hacker accessed or downloaded any patient information. However, access could not be ruled out definitively.
Consequently, SCADD reported the incident was reported to the HHS’ Office for Civil Rights as a potential data breach. Following HIPAA’s Breach Notification Rule, notification letters have been sent to affected patients. SCADD has stated that they have yet to receive reports that patient data has been misused.
As an act of good faith, SCADD is offering affected individuals credit monitoring and identity protection services at no cost. It has set up a toll-free line which individuals may call to gather more information about the breach. The breach notification letters contained information on how patients can help protect themselves against identity theft.
The breach summary on the OCR website indicates up to 25,148 patients have been affected by the incident.