Plastic Surgery Associates of South Dakota has revealed on Friday (28 July) that a data breach may have compromised patient records after it was hit with a ransomware attack earlier this year. The company said it discovered that some of its systems were infected with ransomware on 12 February and hired third-party experts to determine what data could have been accessed by hackers.
"Plastic Surgery Associates immediately began efforts to remove the ransomware, decrypt the affected systems and hired third-party experts to determine what data, if any, was subject to unauthorized access as part of the ransomware incident", the company said in a statement. "While the investigation was able to rule out unauthorized access to the majority of our medical records, certain evidence became unavailable during our clean-up efforts.
"On or about April 24, 2017, we determined that without this evidence, we were unable to rule out unauthorized access to a limited number of patient records. Therefore, in an abundance of caution we are providing this notice."
The company did not offer any specific details regarding the evidence discovered. However, it said they currently have no evidence to suggest that patient data was misused as a result of the breach.
The patient records that were potentially accessed in the breach contained sensitive personal data including names, addresses, dates of birth, social security numbers, drivers' license numbers or state identification numbers, medical conditions, diagnosis information, lab results and health insurance information.
Plastic Surgery Associates of South Dakota has locations in Sioux Falls, Dakota Dunes, Yankton, Watertown, Mitchell and Spencer, Iowa. The company did not specify how many people may have been potentially affected by the breach.
About 10,200 people have notified that personal data may have not been protected, the Associated Press reports.
The company said the incident will be reported to the US Department of Health and Human Services and has offered a year of free credit monitoring to people who may have been affected.
It also advised customers whose records may have been compromised in the attack to monitor their account statements, credit reports and explanation of benefits forms for any suspicious activity or incidents of identity theft and fraud.
"The confidentiality, privacy, and security of our patient information is one of our highest priorities", the firm said. "We have stringent security measures in place to protect the security of information in our possession. In addition, as part of our ongoing commitment to the security of protected health information in our care, we are working to implement additional safeguards and security measures to enhance the privacy and security of information on our systems."
IBTimes UK has reached out to Plastic Surgery Associates of South Dakota for comment.