Patients to clean up a breach after protective services not offered

A virus that prohibited access to files crippled IT systems at Centrelake Medical Group in Ontario, Calif., this past February, potentially compromising protected health information for nearly 200,000 people.

It appears the virus was not ransomware, but it did deny access to data, according to executives of the healthcare organization, which has eight locations in California.

The organization’s breach notification letter does not include an offer of protective services to affected individuals, which are sometimes offered in similar incidents. Centrelake could run afoul of the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules and is encouraging organizations to offer protective services

“Centrelake enourages affected individuals to remain vigilant against incidents of identity theft and fraud, and to seek to protect against possible identity theft or financial loss by regularly reviewing their financial account statements, credit reports and explanations of benefits for suspicious activity,” patients were told.

The company restored its system and got help from a forensics firm in determining the nature and scope of the attack.

Centrelake-Imaging-Oncology-Pomona-1-1400x933-1.jpg

“As part of our ongoing investigation, we determined this virus was introduced by an unknown third party that had access to certain servers on our information system, which contain personal and protected health information relating to current and former Centrelake patients,” according to the notification letter, which was sent to patients and business partners.

“After a review of available forensic evidence, we determined that suspicious activity began on our network on Jan. 9, 2019, lasting until the virus infection on Feb. 19, 2019.”

Also See: Blues plan offers lengthy protection services after being hacked

While Centrelake asserts there is no evidence that the third-party viewed or took patient information stored on systems, the organization did confirm that impacted servers held files and software applications that may have included names, addresses, phone numbers, services, diagnoses, drivers’ license numbers, health insurance information, referring provider information, medical record numbers, dates of service and Social Security numbers.

In the notification letter, the organization did not publicly disclose how many persons were affected, but since then, the company notified the HHS Office for Civil Rights, that 197,661 individuals were affected. .

For reprint and licensing requests for this article, click here.