The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Associates in Dermatology Patients Affected by Business Associate Ransomware Attack

Posted By on Mar 23, 2023

Associates in Dermatology, a network of dermatology clinics in Indiana, Kentucky, and New York, has started notifying patients that some of their protected health information has been exposed in a ransomware attack on one of its business associates.

Virtual Private Network (VPN) Solutions provides electronic medical record management services to healthcare providers and Associates in Dermatology used its TouchChart software to host patient data. The ransomware attack was detected by VPN Solutions on or around October 31, 2021, and Associates in Dermatology was notified on December 22, 2021, that none of its data was accessed or stolen in the attack, but was told the forensic investigation into the attack was ongoing.

Associates in Dermatology said VPN Solutions was contacted on multiple occasions to ask how the forensic investigation was progressing and to obtain a formal report about the attack, but it took until January 17, 2023, to discover patient data had been exposed – 15 months after the breach was detected, and 2 months after VPN Solutions determined that files had been exposed.

According to the breach notice, electronic medical records were not exposed, but tag image files from a data warehouse may have been obtained in the attack. Most of those files did not contain patient data, but VPN Solutions said some of the files could be linked to patient names. Associates in Dermatology said VPN Solutions did not confirm if individually identifiable information or protected health information was contained in the files and did not provide a list of patient names.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Associates in Dermatology said its own analysis determined on March 10, 2023, that the compromised files may have contained personally identifiable information. The types of information varied from patient to patient and may have included one or more of the following data elements: first and last name, address, Social Security number, date of birth, medical condition(s)/diagnosis, treatment information, test results, health insurance policy number, subscriber identification number, health plan beneficiary number, and unique AID patient identifiers.

Associates in Dermatology said VPN Solutions has taken steps to improve security and has rebuilt its entire environment and restored all data. Associates in Dermatology performed a review of its contracts with third-party vendors and assessed their cybersecurity measures and has offered affected individuals complimentary credit monitoring and identity theft protection services.

The HHS’ Office for Civil Rights breach portal indicates 8,517 individuals have been affected.

47,000 Special Needs Student Records Exposed Online

A non-password-protected database containing the records of more than 47,000 special needs students has been exposed to the Internet and could be accessed by anyone without any authentication. The database was found by security researcher Jeremiah Fowler in mid-February, who traced the database to a company called Encore Support Services. Encore Support Services is a Brooklyn, NY-based provider of special education, behavioral health, and related services. Fowler notified Encore Support Services about the data exposure and the database has now been secured.

According to Fowler, the 6.74 GB database stored records going back to 2018 and included invoices containing student names, addresses, parent names, Open Student Information System (OSIS) numbers, service provider names, vendor information, EIN/SSN tax identification, and billing hours. The invoices also included codes for services that indicated a disability.

The data could be used for a range of nefarious purposes. For instance, Encore Support Services could be impersonated and parents contacted and asked to reveal sensitive information or pay a small charge on their credit card. Since a threat actor would have access to students’ unique OSIS numbers, case numbers, and therapy histories, the requests would be convincing.

Fowler was unable to determine how long the database had been exposed and whether it had been accessed by unauthorized individuals but suggests that the database most likely has not been exposed for long as it had not been encrypted using ransomware or deleted for extortion purposes.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist