Topics
More on Compliance & Legal

Surgery center says 34,000 patient records potentially breached

St. Mark's Surgery Center discovered the virus on May 8, which affected certain patient files on the Florida provider's server.

Jessica Davis, Associate Editor

St. Mark's Surgery Center in Fort Meyers, Florida. Photo via Google Maps

St. Mark's Surgery Center was hit by a ransomware attack that may have impacted the personal health information of 33,877 patients.

The Florida provider discovered a ransomware attack on May 8, although the attack occurred from April 13 until April 17. The installed virus prevented patient data from being accessed during that time.

The impacted servers contained patient names, dates of birth, Social Security numbers and medical information.

[Join Your Peers at HIMSS' Healthcare Security Forum! Register Today]

St. Mark's contact a third-party cybersecurity firm to help the provider remove the ransomware and perform a forensic investigation. The firm confirmed to St. Mark's that the malware was entirely removed and any continued access was blocked.

While the investigation didn't uncover whether the health information was stolen or viewed, the possibility could not be ruled out with necessary certainty.

The U.S. Department of Health and Human Services' Office of Civil Rights requires healthcare organizations to report ransomware attacks as a breach, unless the provider can explicitly show the hacker couldn't access patient data.

St. Mark's is following OCR guidance and reporting the ransomware attack to its patients.

The provider has also incorporated security improvements such as a better firewall, upgrading all systems with the latest antivirus software and improving its best practice patch management policies.

St. Mark's has also implemented unified threat management services and installed a new backup and disaster recovery system -- the system performs hourly backups that are stored offsite.

It's important to note that although St. Mark's correctly notified OCR and patients of the breach, it failed to meet the 60-day reporting requirement -- a violation of HIPAA rules. Earlier this year, Presence Health was fined by OCR for $475,000, due to a one-month delay in issuing breach notifications.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com