HIPAA Violation, Healthcare Ransomware

Healthcare Ransomware


April 20, 2019 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

All Records Erased, Practice Closes Down after Healthcare Ransomware Attack

In the aftermath of a devastating healthcare ransomware attack, a practice based out of Battle Creek, Missouri has been forced to close its doors. This is just another example of the growing threat of ransomware attacks against small individual or group practices in the United States.

Brookside ENT & Hearing Services has been forced to permanently close after a ransomware incident resulted in the loss of all of its electronic health records. This marks the first time in the history of reported healthcare ransomware attacks that a practice closed in the wake of such an attack.

With this example in mind, the average practitioner is likely to ask themselves how better understand and protect themselves against ransomware attacks.

Understanding Healthcare Ransomware

Ransomware is a type of malware that infects a user’s computer or network. Once the system has been infected, the malicious software will encrypt all of the data being maintained on the system. Then, the hackers responsible will demand a ransom in exchange for restoring access to that data.

Sometimes, the ransomware will present healthcare providers with a countdown: pay the ransom within the allotted timeframe, or face permanently losing access to this protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, email, telephone number, Social Security number, medical records, and insurance ID numbers, to name a few. Electronic PHI (ePHI) is any health care data that can be used to identify a patient that is stored in electronic format, such as the records stored or maintained on electronic health records systems (EHRs).

Preventing Healthcare Ransomware Attacks

In the case of Brookside ENT & Hearing Services, all of the practice’s medical records, billing information, and appointment logs were permanently lost. That includes the on-site backups maintained by the practice. Those on-site backups were an attempt to protect the records in question, but on-0site backups are often as vulnerable to attacks as their original files. The best type of backup to defend against a ransomware attack is an “off-site” backup, which means that backup records are stored in a separate geographic location from the original files.

Offsite data back-up allows users to create a full copy of their data stored separately on other premises. This is particularly important in the event of a natural disaster or ransomware incident. Brookside carried our back-up procedures but stored these back-ups onsite. When the ransomware incident struck, the back-up files were lost in the attack as well. Even though Brookside took steps to prevent this ransomware incident then, these preventative measures clearly fell short of the protections needed, or the HIPAA regulations that set specific standards for data security in healthcare to avoid data breaches.

Furthermore, “full-disc encryption” is recommended for computers that store ePHI, which is a type of HIPAA encryption that encrypts a user’s entire computer system, rather than just individual files, making it next to impossible for hackers to access that data.

The combination of both off-site backs and full-disk encryption is currently the most comprehensive way to protect ePHI in an effective HIPAA compliance program. Preventing data loss and defending against ransomware incidents should be the top priority for health care providers across the country, regardless of their specialty.

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Advanced Telehealth Regulations & Ethical Issues: Best Practices & Informed Consent

Essentials of practice guidelines published by the leading professional associations, explained with a focus on what-to-do rather than theory that leaves you empty-handed.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...