Ransomware attack at oxygen vendor affects 500,000 patients
A ransomware attack April 18 at Airway Oxygen in mid-Michigan has resulted in breach notifications being sent to 500,000 current and past patients, as well as 1,160 current and former employees of Airway and a sister company.
The company was unusually candid and forthcoming in its explanation of the attack, believed to have been carried out from an offshore location. The notification letter includes an expansive Q&A covering who was responsible for the breach, how it was discovered, how long hackers were in the system, if the hack could have been prevented, data that was stolen and whether anyone has been adversely affected, among other questions.
However, the company in the Q&A said, “We have no comment with respect to the amount of the ransom demand or whether it was paid.” To date, there are no reports of adverse consequences, according to Stephen Nyhuis, president of the company.
The organization was aware of the attack “soon after it was occurring,” as attackers detected and exploited security vulnerabilities and bypassed all other security measures, according to the notification letter.
Compromised information included names, addresses, birthdates, telephone numbers, diagnoses, insurance policy numbers, types of service and some Social Security numbers.
Data files were encrypted, and intruders gained access to data, so company executives say they assume that all clinical data may be compromised. However, financial information remains safe, as it is not stored in computer systems.
The notification letter does not include the offering of credit monitoring or identity theft protection services, and an attorney for the company did not respond to a question on whether such services will be offered.
“Airway Oxygen has developed a strong reputation for the care and service we’ve provided for more than 40 years,” Nyhuis told customers. “This criminal act against our companies, our customers and our employees is something we must now work hard to overcome.”
The attack occurred even though anti-virus software runs continuously at the company. The company is working with a cybersecurity firm to strengthen cyberattack defenses.
In addition to supplying oxygen, Airway Oxygen also sells mobility, bath safety, sleep therapy and women’s health products.