A Texas healthcare provider is facing backlash for waiting seven months to notify over 161,000 patients of a ransomware attack it experienced earlier in the year.
Patients did not receive word of the incident, which occurred in early January, until August, when Gastroenterology Consultants mailed a notice to inform them. Many were additionally astonished that the practice paid the hackers the ransom and trusted them to delete the data in exchange, according to KHOU 11 Investigates
“It’s just ridiculous,” patient Amber Wietlispach told the news channel “You can pay them off, but how do you know? How do you know that they really got rid of your information?
While the organization’s patient medical record system was not affected, Gastroenterology did confirm that social security numbers for a small number of patients were compromised, and that the attack primarily affected names, addresses and personal health information. “Based on our negotiated resolution with the attacker, we received assurances that any potential exfiltrated data had been destroyed,” it said in its letter to patients.
The company says it has changed all passwords, disconnected its systems and conducted a full forensic investigation to determine how the hackers infiltrated its network. It added that it preliminarily notified patients by posting a notice to its website. Patients say this is not enough, as they do not regularly check the site.
“I'm a data expert. I know what can happen and the seriousness of it and frankly, it scared the hell out of me,” said Del Murphy, a patient and former software assurance expert for NASA.
Gastroenterology alerted federal authorities at HHS in March but did not notify state authorities until August. This violates Texas law, which mandates that any breaches affecting more than 250 be brought to the attention of the state attorney general within 60 days, according to KHOU 11 Investigates.
Privacy Rights Clearinghouse, a consumer advocacy nonprofit, told the news channel that notifying patients in a timely manner is essential. “Every single second that you are not aware of that breach, it’s increasing the risk of identity theft,” said policy counsel Emery Roane. “You are unable to make the best-informed decision about whether to freeze your credit or get identity protection services.”
The Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations hit by ransomware attacks report such incidents to state and federal authorities immediately. It also advises against paying any ransom demands, as that does not guarantee the return of data and can make organizations the subject of repeated attacks for more payoffs by the same attackers, according to Health IT Security
Gastroenterology Consultants has offered complimentary credit monitoring and identity theft restoration services to those whose social security numbers were affected. It did not tell KHOU 11 the reason for delaying notifying patients but said it has revised its protocols to prevent future issues.
"We, unfortunately, learned that the time and effort to manually review thousands of documents was not cost-effective. Therefore, although there is no evidence of any unauthorized use of patient or employee data, we have determined it best to issue mail notifications to all employees and patients detailing the specific type of information potentially exposed," it said on its site.