A two-physician practice in Battle Creek, Michigan is reportedly the first health care provider to cease operations as a result of a ransomware attack.  The Minneapolis Star Tribune reports that Brookside ENT experienced a malware attack that deleted and overwrote every medical record, bill and appointment in the practice’s system, including backups, and created encrypted duplicates.  The attacker then attempted to extort $6,500 from the group, to be wired to an anonymous account, in order to decrypt the files.

Facing the expense and uncertainty of recovering from this attack, the two physicians, Dr. William Scalf, 64, and Dr. John Bizon, 66 (who also serves as a Republican Michigan state senator), decided to close their practice and accelerate their planned retirement by a year.  Unfortunately, with all their records wiped clean, they did not even have a list of patients and their contact information to allow them to communicate the closure of the practice.  Instead, Dr. Scalf said, “… what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”  Patients were given referrals to other otolaryngologists in the area, but their records, including test results, remained unavailable.

The doctors had decided against paying the ransom because there was no way to ensure they would get a valid code to unlock the files in return, and no way to prevent being extorted again in the future. The Star-Tribune cited Brian Stevenson, president of Roseville cyber security firm FocusPoint Technologies, who reported that only about one-third of ransomware victims who pay the ransoms end up getting their data back. Symantec reports a little better average, with 47% of those who pay receiving a valid unlock code.

The group consulted an IT expert who verified that the attack did not grant the hackers access to any protected health information, so no HIPAA breach needed to be reported.   Note that the HHS Office of Civil Rights Fact Sheet on Ransomware and HIPAA states:

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

In some states physicians can be sanctioned by their medical boards and/or held civilly liable for “patient abandonment,” which is defined in Pennsylvania as “when a physician withdraws his services after a physician-patient relationship has been established, by failing to give notice to the patient of the physician’s intention to withdraw in sufficient time to allow the patient to obtain necessary medical care.”  It is unclear what responsibilities a physician would have in a situation where due to a malicious attack they no longer have access to records that would allow them to provide notice to patients.

One lesson from this catastrophe is to take steps to properly insulate your backup system from external infection. Use multiple backups including a cloud-based system for redundancy. If practical, keep any local backup servers disconnected from the Internet.  The Office of Civil Rights of the Department of Health and Human Services reminds covered entities that “Implementing a data backup plan is a Security Rule requirement for HIPAA covered entities and business associates as part of maintaining an overall contingency plan. Additional activities that must be included as part of an entity’s contingency plan include: disaster recovery planning, emergency operations planning, analyzing the criticality of applications and data to ensure all necessary applications and data are accounted for, and periodic testing of contingency plans to ensure organizational readiness to execute such plans and provide confidence they will be effective. See 45 C.F.R. 164.308(a)(7).”

This attack may have caused an unusually comprehensive loss of data including all patient contact information.  Maintaining a separate patient contact list and printing out appointment schedules may have helped this group reach out to affected patients.  In today’s wired environment it is too easy to assume that our electronic resources will always be available, and when they are suddenly vaporized, the consequences can be severe to providers and patients alike.