The sleepy bedroom community of Queen Creek, Arizona is nestled in the heart of the Sonoran Desert at the extreme edges of Greater Phoenix. This quiet suburb is set up for families, and offers easy access to other parts of the Phoenix area as well as its own services and amenities.
As with many suburbs and outlying communities, much more focus is put on the core city, or perhaps some of its more prominent municipalities. As the more prestigious cities in the area include Phoenix and Scottsdale, it would seem that a community like Queen Creek would easily fly under the radar as its neighbors get the lion’s share of the attention.
This, however, was not the case in a recent cyberattack against one of the town’s family medical providers. Although it is surprising that an otherwise overlooked desert town was the target of an attack, what is more astounding is the scope of the attack—as well as the mitigation efforts the provider had in place before it happened.
Lost in the Desert
The healthcare provider Desert Wells Family Medical has long served the people of Queen Creek and nearby areas with health clinic services. The practice uses an electronic health record system in which it stores data, including protected health information (PHI), which HIPAA requirements are meant to safeguard.
On May 21, 2021 Desert Wells was hit with a cyberattack. The sheer magnitude of the people affected is astounding for a commuter town on the urban fringe—the attack compromised 35,000 patients’ personal information. Beyond names and medical data, the information includes birth dates, Social Security numbers, and billing account numbers. As part of the cleanup efforts, Desert Wells began contacting affected patients.
While these attacks are becoming more common, often involving organizations that did not have data loss protection in place, what is more alarming in the Desert Wells incident is that the practice had a backup solution. The cyberattack against the practice involved ransomware, and the criminals not only encrypted the clinic’s data, but also corrupted its backup files. This effectively rendered the data irretrievable.
Turning Up the Heat
Informing patients of the attack is only one of Desert Wells’ headaches, as it bore the cost of credit monitoring and identity theft protection services for affected patients. Rebuilding the large amount of patient information collected over the years and subsequently lost in the attack is a gargantuan feat.
Desert Wells can collect information from other sources, including pharmacies, hospitals, labs, and medical imaging centers. However, much of the data lost in this cyberattack is permanently gone. Daniel Hoag, MD of Desert Wells addressed the situation and the grim reality of it, as well as the practice’s plans to prevent a repeat.
“We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause. I’m sure many of you have been reading about other healthcare providers in the community, and around the country, that have been impacted by cybersecurity events. For our part, we are continuing to take steps to enhance the security of our systems and the data entrusted to us, including by implementing enhanced endpoint detection and 24/7 threat monitoring, and providing additional training and education to our staff.”
Comprehensive, HIPAA-Compliant Security
Part of the issue that hurt Desert Wells was that the sophisticated attack circumvented their backup plan, which the cybercriminals could access online. No comprehensive data security solution is complete without an offline backup plan. In this case, their data would have otherwise been held on a secure device and easily retrieved.
SecureDrive and SecureUSB are hardware-encrypted data storage devices that require user authentication to unlock. A hacker cannot get into either the KP or BT line. If lost or stolen, the tamper-resistant drives have epoxy-coated interiors that prevent an unauthorized user from extracting data without a password. After ten consecutive, unsuccessful password attempts, all data on the drive is permanently erased. SecureDrive storage devices are HIPAA-compliant and designed to suit any medical practice, large or small.
The BT lines work with a mobile device, requiring the user to be physically present to unlock them. They may be enhanced with Remote Management, which allows an administrator to set specific time and geographic parameters to restrict device usage only to approved locations and within certain hours of the day.
To learn how to protect PHI and create a thorough solution that meets strict HIPAA standards, contact an expert today at 424-363-8535.