Spine care practice pays ransom, regains IT systems
New Jersey Spine Center, with six sites, recently reported that it paid a ransom payment to hackers to regain control of its information systems after a ransomware attack.
The attack, using the CryptoWall ransom virus, occurred on July 27, according to a notification letter to patients from the organization, which operates six locations serving northern and central New Jersey. “The malware was detected by our virus protection software, but unfortunately not until after our electronic patient records were encrypted,” the organization said.
Also encrypted were the most recent backup of data and the phone system. “Seeing no other option, we elected to pay a monetary ransom to gain access to the records.” Access to information systems was regained on August 1.
Most likely, according to the notification letter, the virus used a list of stolen passwords and ran a program to attempt access until a match was found.
Compromised patient information included medical and demographic data and, in some cases, Social Security numbers, credit card numbers and account information.
Affected individuals are being offered one year of identity protection services through Equifax.
New Jersey Spine Center did not say how many patients were affected and did not respond to a request for additional comment. The incident is not yet posted on the HHS Office for Civil Rights breach notification web site.