A ransomware attack at St. Mark’s Surgical Center in Fort Myers, Fla., has resulted in 33,887 individuals across seven states being offered a year of identity protection and credit monitoring services.

After a forensic investigation by a third party firm in May, the surgical center learned that ransomware had been placed on certain files in the server between April 13 and April 17. Why St. Mark’s had the forensic investigation done is not clear, as the organization declined to provide additional details about the incident.

Compromised protected health information included patient names, dates of birth, health and treatment information and Social Security numbers.

The organization engaged a cybersecurity expert to help recover affected data, wipe ransomware from the server and determine if protected information was used, accessed, disclosed, acquired or otherwise compromised.

Also See: LA provider beats back ransomware attack

In a notification letter to patients, St. Mark’s said there are no indications of improper use or other compromises of the data. “Nonetheless, we are providing this advisory to you and other individuals to make you aware of this incident so that you can take steps to protect yourself and minimize the possibility of misuse of your information.” This type of notification to patients is required under the HIPAA regulations.

St. Mark’s further engaged additional protective services through Epiq, a firm that handles such breach-related issues as notices, mailings, legal settlement issues and contact centers.

Since the attack, the provider has installed a more robust firewall with unified threat management services; installed a backup and data recovery system, including hourly imaging and offsite replication to redundant data centers; developed policies to ensure all devices are fully updated; and implemented new antivirus software.

St. Mark’s also gave affected individuals detailed information on avoiding identity theft, including how to contact credit rating agencies to place a fraud alert in credit files; obtaining a copy of the police report; and state-specific information on contacting their state attorney general.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access