Gastroenterology Consultants, PA experienced a ransomware attack on January 10, 2021 that involved the encryption of sensitive information. The company sent notifications to patients possibly impacted by the attack to advise them about the potential access or exposure of their protected health information (PHI) in the attack.
Gastroenterology Consultants, the biggest partnership GI practice based in Houston, TX, started an investigation of the ransomware attack and took action to block the threat actors from accessing its network and recover affected information. The company uploaded a substitute breach notice to its website on March 19, 2021 telling patients concerning the attack. There is no evidence found that suggests the attacker accessed or exfiltrated any patient information in the attack.
Attacks like this usually require sending breach notification letters, because although there is no evidence of data theft, it is typically impossible to exclude unauthorized PHI access with 100% certainty. In cases like this, instead of identifying the specific patients impacted by the attack, the provider decided to inform all patients who had their PHI likely compromised. Gastroenterology Consultants submitted a breach report to the Maine Attorney General with information that 162,163 breach notifications were sent.
Right after commencing a comprehensive data mining process to find out particularly whether any patient or worker had any sensitive personal data or PHI compromised, the provider discovered that reviewing thousands of records one by one wasn’t cost-effective. Hence, even though there is no proof of any unauthorized usage of patient or worker information, Gastroenterology Consultants have thought it best to mail notices to all workers and patients explaining the particular type of data potentially compromised.
The files possibly breached were made ready by employees to accomplish patient processing. The records included certain PHI, and less than 50 had compromised Social Security numbers. Those people were given complimentary credit monitoring services, just like employees who had their sensitive information potentially accessed.