por John R. Fischer
, Senior Reporter | September 17, 2021
A Texas healthcare provider is facing backlash for waiting seven months to notify over 161,000 patients of a ransomware attack it experienced earlier in the year.
Patients did not receive word of the incident, which occurred in early January, until August, when Gastroenterology Consultants mailed a notice to inform them. Many were additionally astonished that the practice paid the hackers the ransom and trusted them to delete the data in exchange, according to KHOU 11 Investigates
“It’s just ridiculous,” patient Amber Wietlispach told the news channel “You can pay them off, but how do you know? How do you know that they really got rid of your information?"
While the organization’s patient medical record system was not affected, Gastroenterology did confirm that social security numbers for a small number of patients were compromised, and that the attack primarily affected names, addresses and personal health information. “Based on our negotiated resolution with the attacker, we received assurances that any potential exfiltrated data had been destroyed,” it said in its letter to patients.
The company says it has changed all passwords, disconnected its systems and conducted a full forensic investigation to determine how the hackers infiltrated its network. It added that it preliminarily notified patients by posting a notice to its website. Patients say this is not enough, as they do not regularly check the site.
“I'm a data expert. I know what can happen and the seriousness of it and frankly, it scared the hell out of me,” said Del Murphy, a patient and former software assurance expert for NASA.
Gastroenterology alerted federal authorities at HHS in March but did not notify state authorities until August. This violates Texas law, which mandates that any breaches affecting more than 250 be brought to the attention of the state attorney general within 60 days, according to KHOU 11 Investigates.
Privacy Rights Clearinghouse, a consumer advocacy nonprofit, told the news channel that notifying patients in a timely manner is essential. “Every single second that you are not aware of that breach, it’s increasing the risk of identity theft,” said policy counsel Emery Roane. “You are unable to make the best-informed decision about whether to freeze your credit or get identity protection services.”