Patients’ data compromised by attack on Mind and Motion Developmental Centers of Georgia

A security breach at a medical facility in Georgia, US, exposed up to 16,000 patients’ records after ransomware was found on its servers.

Mind and Motion Developmental Centers of Georgia revealed in late November that medical records had been compromised as a result of the ransomware, which was discovered on September 30.

Personal information of patients, including names, addresses, birth dates, medical records, Social Security numbers, and insurance details were potentially taken in the hack.

“Immediately after the server attack, we hired a compliance consulting firm to make sure we are in compliance with all HIPAA rules and regulations and to assist while reporting the breach to the US Department of Health & Human Services,” the notification read.

“According to the security breach reported provided [sic] by TeamLogic IT, it was also discovered that an inactive keylogger and spam emailer had been installed. No other serious virus or malware programs were readily visible.”

In an email exchange, a spokesman for the medical center told The Daily Swig that its cybersecurity practices have improved since the attack.

Prior to the leak computers were not updated regularly and not all staff members were trained on how to spot security issues such as phishing attacks.

The spokesman said: “Computers did have various types of anti-virus / anti-malware. Not all had most recent updates and scans were not run daily.

“Username / password standards were enforced but not up to the level of security we have implemented now (i.e. complex passwords requiring a certain amount of digits and characters, requirements for password changes being made every 90 days, etc.).”

He added: “We will be performing a staff training with Compliancy Group to ensure our employees have been updated with best practice for preventing attacks and other work place best practice for complying with HIPAA.

“We have also already spoken with the Department of Health and Human Services about providing mid-year, supplemental trainings for new hires and individuals with questions.”

Higher standards

To its credit, Mind and Motion Centers has been transparent about the incident and has committed to improving its security hygiene.

The treatment facility didn’t release any information on whether a ransom was paid, but it did note that no patients have reported any “inconvenience” due to the data theft.

While 16,000 is a sizeable number of records to have been exposed, it pales in comparison to the Atrium Health breach, also reported in November, which resulted in the personal information of more than 2.5 million people being compromised.

The healthcare incident came as attackers gained unauthorized access to a patient database hosted by AccuDoc Solutions – once again underlining the risks organizations face when entrusting third parties with their customers’ data.