A medical center offering oral surgery services has notified 128,000 patients of a ransomware attack that might have exposed their information. On 24 September 2017, Arkansas Oral & Facial Surgery Center sent out breach notification letters to affected patients. Those letters reveal that the medical center detected the ransomware attack back on 26 July 2017. At that point, it contacted the FBI and launched an investigation into the incident, from which it determined that the ransomware infection had occurred earlier that day or during the previous evening. Arkansas Oral & Facial Surgery Center's investigation also identified the files affected by the incident. As quoted in a breach notification letter obtained by DataBreaches.net:
"Except for a relatively limited set of patients, our patient information database was not affected by the ransomware, however, imaging files, such as x-rays, and other documents such as attachments were impacted. While our investigation into the matter continues, it does not appear that patient information was stolen from our system. However, the ransomware has rendered the imaging files and documents inaccessible. Based on our present investigation, it also appears that the ransomware rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident. Because we are unable to determine with reasonable certainty whether or not the perpetrator(s) placing the ransomware on our systems accessed patient information, and due to the impact on the availability of images and other files, we are providing you with notification of this incident."
The ransomware attackers might have exposed patients' personal information including their names, addresses, and Social Security Numbers as well as their medical information such as treatment plans and health insurance data. Following its discovery of the attack, Arkansas Oral & Facial Surgery Center implemented a new records system and set up affected patients with a year of free credit monitoring protection. Going forward, it recommends that victims of the incident periodically review their credit reports for suspicious activity and consider placing a fraud alert or security freeze on their credit files. News of this attack comes more than a year after Hollywood Presbyterian Medical Center met ransomware attackers' demand of $17,000.