In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.
Airway Oxygen Inc., a privately held company that supplies home healthcare equipment in the Midwest, reported that the mid-April ransomware attack accessed patient names, addresses, birth dates, telephone numbers, medical diagnosis and treatment information and health insurance policy numbers.
The attackers also compromised personal information for more than 1,000 employees, according to a company statement.
And the attack might have broader implications. The company’s breach disclosure notice stated that “vendors [and] contractors have potentially been affected by this criminal attack,” without providing further detail about whether – and the extent to which – other organizations might have been affected by the ransomware.
The company has not disclosed whether a ransom was paid to the hackers. “We have no comment with respect to the amount of the ransom demand or whether it was paid.”
So far this year, 151 companies have reported data security incidents to the U.S. Department of Health and Human Services, Office of Civil Rights. This averages nearly one healthcare data security incident each day.
The Airway attack is the second largest incident reported in 2017. On March 1st, Commonwealth Health Corporation, a Kentucky-based regional healthcare provider, reported that nearly 700,000 patient records were compromised in what – according to a public statement – involved an insider who stole an encrypted CD and USB drive several years ago that included “patients’ names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes and charges for … medical services.”
Ransomware incidents have spiked in the past few months with last week’s so-called Netpetya virus that infected thousands of computers and encrypting their contents mostly in the Ukraine and Russia. And in May, the WannaCry worm hit more than 150 countries, crippling critical infrastructure in many countries including hospitals and medical care in the UK.