Namaste Healthcare, a small primary care clinic in Ashland, Mo., suffered a data breach on August 12 and 13 when a hacker remotely accessed the practice’s file server and potentially viewed protected health information.
On August 14, when the practice opened, data on the file server was found to be encrypted.
The practice disabled the unauthorized user’s access, took computers offline and with help from its technology contractor terminated further remote access. However, the data was still encrypted by the hackers, and the practice was forced to pay an undisclosed ransom to get the decryption key and restore the encrypted data, according to a notification letter mailed to affected individuals.
“Although we have not found any specific evidence to indicate that any data was transferred or exported to any remote location by the cyber attacker from Namaste’s system, we have been unable to definitively conclude that he/she did not access and view some amount of the data on the system,” the practice notes. “Nevertheless, we were successfully able to restore systems and recover all data within days of the attack.”
Payment of ransom, in the healthcare industry and elsewhere, is more common than may be generally believed, but most times not publicized, says Rebecca Herold, CEO at The Privacy Professor, a security consultancy.
“Typically, those that are small to mid-sized organizations, are cloud providers, or are B2B types of organizations are the ones who will often pay without reporting their extortion,” she adds. “Given the steep increase in profits for the crooks from ransomware, a significant percentage of victim businesses are paying. As a pure estimate, I would not be surprised if up to 50 percent to 60 percent of small- to mid-sized businesses pay the ransom, and I know that some of the largest organizations have paid as well, maybe 10 percent to 15 percent of these.”
Compromised information in the Namaste breach included names, addresses, birth dates, Social Security numbers, medical record numbers, insurance information and the reason for appointments.
Namaste Healthcare is offering affected individuals one year of identity repair and credit monitoring services from AllClear ID, which also sent out the notification letters. A $1 million identity theft insurance policy also is offered.
The manger at Namaste Healthcare was unavailable for comment and the practice’s attorney declined to provide additional details about the incident.