American Baptist Homes of the Midwest (ABHM) has provided breach notification letters to patients following a ransomware attack on its network.

ABHM, a provider of assisted living and assisted care facilities throughout the U.S Midwest, discovered the attack shortly after it was launched on March 10, 2019. Although IT staff at the facility implemented measures to limit the attack, the organisation’s files were encrypted before the affected accounts could be secured.

ABHM immediately launched an investigation to determine the extent of the breach. The investigators concluded that only the general file systems and email accounts were compromised; the breach did not affect the clinical and billing systems.

The investigators did not find evidence to suggest the unauthorised individual stole or misused any patient data, and therefore concluded that the primary aim of the attack was extortion. However, data theft could not be definitively ruled out.

The types of information stored on the compromised servers and systems included individuals’ names, addresses, Social Security numbers, financial information, diagnoses, lab test results, medications and some other medical information.

The attack affected the following locations:

Colorado:

Health Center at Franklin Park, Denver

Mountain Vista Senior Living, Wheat Ridge

Iowa:

Crest Services – Cedar Rapids; Des Moines; Harlan; Ottumwa; and Chariton

Elm Crest Senior Living, Harlan

Minnesota:

Crest Services- Albert Lea

Thorne Crest Senior Living, Albert Lea

Nebraska:

Maple Crest Health Center, Omaha

South Dakota:

Trail Ridge Senior Living, Sioux Falls

Wisconsin:

Tudor Oaks Senior Living, Muskego

ABHM contracted a third-party cybersecurity organisation to assist with data recovery. ABHM was able to successfully remove the ransomware from its systems and restore encrypted data from backups.

Following HIPAA’s Breach Notification Rule, all affected individuals have now been notified by mail and the incident has been reported to law enforcement and the HHS’ Office for Civil Rights (OCR).

In their breach notification letters, ABHM stated that they had ‘adopted further safeguards going forward’ to mitigate the risk of a future incident of this nature. The letter also stated: “ABHM brought in a third-party security expert to perform an in-depth security risk assessment, enhanced its technological security requirements (for example, we strengthened password requirements and implemented electronic procedures that terminate access to ABHM systems after a series of failed attempts) and engaged a 24/7 security monitoring system to safeguard and protect all ABHM data.”

ABHM has advised all affected patients to monitor their accounts for signs of fraudulent activity and inform law enforcement should they notice any suspicious behaviour.

The incident has yet to appear on the OCR breach portal so it is currently unclear exactly how many individuals have been affected by the breach.