On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group that works with Boston Children’s Hospital, suffered a malware attack that led to a system outage which stopped its 500+ pediatricians, nurse practitioners, and physician assistants from viewing patient data and scheduling appointments.

PPOC has around 200 servers, 11 of which were affected by the attack. IT teams at PPOC and Boston Children’s Hospital worked quickly to limit the malware and the impacted servers have now been quarantined. Servers not hit by the attack were shut down as a precautionary step. Boston Children’s Hospital released a statement stating that its systems were unaffected by the attack.

Patients were advised to reschedule non-urgent appointments as health records cannot be accessed until such time as the malware is completely deleted and the servers are brought back online. Children’s Hospital released a statement on Wednesday saying progress was being made restoring the servers, but it was still unclear how long the recovery process is expected to last.

PPOC has over 100 practices spread across the state of Massachusetts and serves more than 350,000 patients. It is currently not known what type of malware was involved and whether it permitted hackers to obtain access to patient data.

Central Kansas Orthopedic Group Impacted by Ransomware Attack

Central Kansas Orthopedic Group (CKOG) in Great Bend, KS experienced a ransomware attack in November 2019 that lead to the encryption of patient records.

The attack was first noticed on November 11, 2019. The attackers issued a ransom demand which CKOG refused to pay. All encrypted files, including patient medical records, were successfully restored from backups.

An external forensic investigator was hired to help out with the investigation and determine whether patient data had been accessed or exfiltrated by the hackers prior to the deployment of ransomware. The investigation found no evidence to indicate the hackers accessed or stole patient data and no reports of data misuse have been received.

The range of information that could potentially have been accessed included names, addresses, email addresses, dates of birth, state-issued ID numbers, driver’s license numbers, health information related to treatment supplied by CKOG, Social Security numbers, and health insurance information. All affected patients have been notified by mail and offered identity theft protection services via ID Experts.

CKOG is now examining its security platform and has started putting in place additional security protocols to bolster its security posture.

The HHS’ Office for Civil Rights breach portal indicates that 17,214 patients were potentially impacted by the attack.