Saint Francis Healthcare System made an announcement that there was a ransomware attack on Ferguson Medical Group’s computer network.
The attack transpired on September 21, 2019, prior to the acquisition of the medical group based in Sikeston, MO by Saint Francis Medical Center. Saint Francis Healthcare knew about the ransomware attack on the same day as the attack.
Based on the notice posted on Saint Francis Healthcare’s website, the attackers were able to encrypt the medical records of Ferguson Medical Group patients who received healthcare services before January 1, 2019. Saint Francis Healthcare reported the incident to the Federal Bureau of Investigation and took steps immediately to isolate the impacted systems.
The attackers asked for a ransom payment in exchange for the file decryption keys. Saint Francis Healthcare decided not to pay the ransom and use backups to recover files because there was no assurance that the attackers would give decryption keys able to restore the files and there were other concerns.
Although a lot of files were retrieved, some data were permanently lost and can’t be recovered. Records that can’t be recovered included any scanned documentation that was stored on its systems, and healthcare records of patients who got Ferguson Medical Group services from September 20, 2018 to December 31, 2018.
After analyzing the attack, there was no evidence uncovered that indicate the attackers acquired files that contain the protected health information (PHI) of patients before encryption. There was also no report received that suggest the misuse of any patient information. Nevertheless, unauthorized access and theft of data cannot be ruled out. So, Saint Francis Healthcare offered credit monitoring and identity theft protection services to the affected patients for free.
The breach incident is already listed on the breach portal of the Department of Health and Human Services’ Office for Civil Rights. According to the breach summary, 107,054 Ferguson Medical Group patients were impacted. There was no mention regarding the number of patients who had lost some or all their health data because of the attack.