How quick breach recovery hurt one provider
Salina Family Healthcare Center in Kansas in mid-June was the victim of a ransomware attack, but it was almost immediately able to restore its computers and servers because it closely followed requirements of its backup policy.
At Salina Family, data backups are done each night. In addition, all servers are backed up once a week, and a comprehensive system backup is done once a month. All backups are encrypted and stored off-site.
But the backup policy had a flaw that wasn’t known until the attack, says Rob Freelove, MD, CEO. “We were so intent on getting back online, we didn’t think about preserving evidence.”
The evidence was not available because all the servers were scrubbed of data and rebuilt from backup tapes. “Leaving one server uncleaned would have helped in getting more forensics evidence,” Freelove adds. “We had 33 end-user terminals deleted and rebuilt and should have saved one or two hard drives for the forensic investigators.”
That is important because forensic experts determine how a breach occurred and if any information was accessed by an unauthorized party.
Consequently, the organization could not rule out the possibility of data being compromised, which necessitated notification letters being mailed to about 70,000 patients. The letters contained the offer of one year of credit monitoring and identity protection services from AllClear ID.
Data at risk included patient names, addresses, Social Security numbers, dates of birth, health insurance information and treatment information. “To date, we are not aware of the misuse of anyone’s information as a result of this incident,” the organization said in the patient notification letter.
As Salina Family Healthcare Center worked through the breach, it encountered another obstacle when mailing out patient notification letters. There are a lot of rental properties in town, and while a notification letter may have been sent to the right address, the affected individual may not have still been living at that address.
The city also has a large transient population that made patient notification difficult. So, in an updated notification letter, the healthcare center asked recipients who received a letter that was incorrectly addressed to mark it “Return to Sender,” so returned letters could be sent to the right address.