Cyberattackers Ask for Ransom Demands from Four Winds Hospital, NY and Advanced Urgent Care of Florida Keys

Katonah, NY-based Four Winds Hospital found out that ransomware encrypted files on or around September 1, 2020. The ransomware attack blocked the hospital’s access to its computer systems and triggered a downtime for about two weeks while mitigating the attack.

When Four Winds Hospital learned about the attack, it immediately took steps to stop further unauthorized access to its system. Third-party cybersecurity professionals helped to identify the extent of the ransomware attack and know if patient information was compromised.

As mentioned in the substitute breach notice of Four Winds Hospital, cybersecurity professionals found information that the cybercriminals wiped out any files they had taken. However, this information cannot be independently verified. That indicates that there the cybercriminals received ransom payment, although Four Winds Hospital did not confirm this information.

The attack didn’t affect the electronic health record system, email system, cloud environment, or encrypted data fields. According to the investigation, the cybercriminals accessed password protected files and possibly viewed the listings of patients dated 1983 up to the present. Those listings contained names as well as medical record numbers, 100 records of which included Social Security numbers. The cybercriminals may have also accessed various files that contain patient information from 2013 up to the present. The files contained names, Social Security numbers, and treatment details of Medicare patients admitted to the hospital before 2019.

The HHS’ Office for Civil Rights breach portal breach has not published yet the incident and so the number of patients affected by the breach is still uncertain.

Advanced Urgent Care of Florida Keys

Advanced Urgent Care of Florida Keys commenced giving breach notifications to patients on November 6, 2020 regarding a ransomware attack that happened on March 1, 2020. Although there is no mention in the breach notice, on March 14, 2020, Databreaches.net reported the theft of patient data during the ransomware attack. The attackers dumped the stolen information on the web when there was no ransom payment made.

As per the Advanced Urgent Care breach notice, after the attack, an investigation to determine if patient data was compromised went on until September 11, 2020. The ransomware attack resulted in the encryption of files stored on a backup drive that contained protected health information (PHI) such as names, birth dates, medical treatment data, lab test results, medical diagnostic details, health insurance details, medical record numbers, Medicare or Medicaid beneficiary numbers, medical billing data, bank account details, debit or credit card data, driver’s license numbers, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, Social Security numbers and signatures.

Advanced Urgent Care offered complimentary credit monitoring services to patients who had their Social Security numbers compromised and have taken steps to improve security to avoid further attacks and to recognize and remediate upcoming threats.

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.