Arkansas surgery center reports ransomware attack

Chris Nerney
Chris Nerney, Contributing Writer |
Arkansas surgery center reports ransomware attack

An Arkansas surgery center says it was the victim of a ransomware attack in late July that potentially breached the data of 128,000 patients.

Arkansas Oral Facial Surgery Center (AOFSC), based in Fayetteville, sent out a notice to patients on September 24 informing them of the attack, the likely extent of the damage, and measures being taken to prevent future breaches.

“Except for a relatively limited set of patients, our patient information database was not affected by the ransomware,” the facility said in the notice. “While our investigation into the matter continues, it does not appear that patient information was stolen from our system.”

However, the surgery center said, imaging files (such as x-rays) and other documents such as attachments were impacted.

“The ransomware has rendered the imaging files and documents inaccessible,” AOFSC said. “Based on our present investigation, it also appears that the ransomware rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident.”

Information in the affected files included “attachments and radiographs that might include demographic information such as patient names, addresses, dates of birth, and Social Security numbers and clinical information such as diagnosis, treatment plans or conditions and other information such as health insurance information,” according to the surgery center.

The ransomware attack occurred on July 25 or July 26, an investigation determined. AOFSC said it has installed a new record system in the wake of the attack and also is offering 12 free months of free credit monitoring to all patients.

Ransomware attacks on healthcare systems have become disturbingly common in the past two years, with many experts predicting an increase in 2017. A  Department of Health and Human Services task force in early June issued a report highly critical of U.S. healthcare organizations for “having neither the awareness of current threats nor the technical personnel to prevent or deal with these threats, many of which are not new.”