Virginia dermatologist hit by ransomware attack, records for 13,000 patients seized

Chris Nerney
Chris Nerney, Contributing Writer |

A dermatology practice in Reston, Virginia, has reported a ransomware attack in which medical and financial data for 13,237 patients was stolen.
In a message posted on its website in compliance with federal and state laws regarding disclosure, Professional Dermatology Care, P.C. (PDC, P.C.) informed its patients about the breach:
Unauthorized third parties from outside the United States may have recently accessed and obtained patient protected health information and financial data between June 19, 2016 and June 27, 2016. In the ten years of having electronic medical records this had never happened.
While the dermatology practice identified the breach as a case of ransomware, there was no indication in the message to patients that it had paid a ransom.
“PDC, P.C. believes the criminals’ motive was to extract money from the company in order to de-encrypt data, rather than for the misuse of patient data,” the practice said. “The information accessed may have included patient names, addresses, dates of birth, social security and Medicare numbers, and medical and billing records.”

Ransomware has become a serious problem for healthcare providers, with attempts increasing dramatically in recent years. In response the U.S. Department of Health and Human Services in July released new HIPAA guidance to help providers cope with ransomware. 
While PDC, P.C. didn’t disclose the breach to patients until six weeks after discovering the incident, the practice said it immediately contacted the Federal Bureau of Investigations. It also informed patients that it has “increased cybersecurity [and] implemented a new firewall, as well as malware protection services.”