Summit Medical Associates disclosed on August 4 that a ransomware attack earlier this year may have compromised personal information of patients and affiliates.
According to a data breach notification, Summit discovered that it became unable to access particular data stored on its servers, the launched an investigation alongside third-party security experts.
“On or about June 5, 2020, Summit discovered that it was unable to access certain data and records stored on its server,” the notice reads. “Summit immediately launched an investigation, with the assistance of third-party forensic computer experts, to determine the nature and scope of the incident. It was determined that certain information was encrypted by ransomware.”
The investigation also found that cybercriminals retained unauthorized access to their systems for nearly six months before the breach was discovered.
“Summit’s investigation determined there was potential unauthorized access to its server between January 24, 2020 and June 5, 2020,” the company added. “Summit then worked to identify its patients whose personal information may have been accessible to the unauthorized actor. That process concluded July 28, 2020.”
While there might be no evidence that bad actors viewed or stole patient information, the concerned server housed personal identifiable information such as names, medical information and Social Security numbers.
The number of potential victims was not revealed. However, the company acknowledges the risks for identity theft and fraud, and urges customers to review their account statements for suspicious activity.
The healthcare industry has become a distinguished target for cyber-criminals to prey on amid the pandemic, accounting for 51% of all incidents disclosed in the first quarter of 2020. Medical records sell like hotcakes on the dark web, and bad actors have managed to create a successful business.
The company also said it will notify the Department of Health and Human Services and other regulators of the incident, and advised users to report any misuse of personal information to law enforcement agencies, medical providers or financial institutions.