Maffi Clinics, Arizona, have revealed that a ransomware attack on their servers compromised the files of nearly 10,500 patients.
Maffi Clinics, a network of 5 plastic surgery and skin care clinics, detected the ransomware attack on September 11, 2018. IT security staff quickly responded to the attack, therefore limiting the hacker’s access to sensitive data. In total, the hacker only had access to Maffi Clinics’ systems for 5 hours.
Maffi Clinics contracted an independent IT security firm to remove the ransomware from their servers. The IT workers were able to recover patient data files from Maffi Clinics’ backups, and no data was lost. Maffi Clinic and the IT security firm launched an investigation into the breach to assess its cause and scope. The investigators did not find evidence that the hacker had accessed or downloaded any of the patient data.
Unusually for ransomware attacks, Maffi Clinics did not receive a ransom demand. The primary motive of threat actors behind ransomware campaigns is often to extort healthcare organisations. In this instance, if no ransom demand was received, then the hacker’s motive is unknown.
The files that had been locked by the ransomware contained names, addresses, phone numbers, and pre-and post-operative records. The hacker would not have been able to access Social Security numbers or financial information, which are generally sought after by criminals to commit fraud.
Maffi Clinics has taken steps to improve security, and additional safeguards have now been implemented to prevent further ransomware and malware attacks.
Following HIPAA’s Breach Notification Rule, Maffi Clinic sent notification letters to affected patients informing them of the ransomware attack.
“If you detect any suspicious activity on any of your accounts, you should promptly notify the financial institution or company with which the account is maintained,” Maffi Clinic said in their breach notice. “You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.”
Maffi Clinic notified OCR of the attack on March 6, 2019. It is estimated that the breach affected 10,465 patients.