Blue Springs Family Care hit by ransomware attack that potentially compromised data of over 44,000 patients

• The attack was discovered by a computer vendor of the company on May 12.
• Patients’ full names, home addresses, birth dates, Social Security numbers, medical health records and disability codes may have been stolen by hackers.

Missouri-based health care provider Blue Springs Family Care is notifying 44,979 patients that their protected health information (PHI) may have been compromised due to a ransomware attack that took place in May 2018.

According to the health care provider, the attackers may have gained access to a variety of information including patients’ full names, home addresses, birth dates, Social Security numbers, account numbers, driver’s license numbers, medical health records and disability codes.

The attack was discovered by a computer vendor of the company on May 12, following which an investigation and recovery process was initiated together with a separate forensic computer vendor that was hired by the company.

Investigators discovered that attackers had stolen patients’ data by breaking into the healthcare provider’s systems. The cybercriminals had infected the clinic’s system with different kinds of malware, including the ransomware that caused the breach. Blue Springs Family Care suspects that the attackers may likely have gained access to the entire network of computers it used.

The firm is unsure whether the information compromised during the breach has been used by the attackers or any other third party.

"We are keenly aware of how important your personal information is to you, and we understand that this situation may pose an inconvenience to you. We sincerely apologize and regret that this situation has occurred," Blue Springs Family Care said in a statement.

Following the incident, Blue Springs has taken a few steps to strengthen the security of its systems and devices. It said a new firewall has been deployed to prevent further intrusion and they are planning to adopt a new encryption program provided by an EHR (Electronic Health Provider) vendor. The vendor will encrypt patients’ PHI registered with the clinic. The firm has also begun working on the affected systems by quarantining them.

“Immediately after the discovery of the incident, we engaged a forensic information technology company to assist with quarantining the affected systems and to install software to monitor whether any unauthorized person was accessing the system,” the healthcare provider added.

The clinic has advised all affected individuals to activate a fraud alert on their credit reports and monitor their reports periodically for any suspicious activity.