According to a security incident notification issued by the Jones Eye Clinic, a security attack on the clinic's computer network which potentially affected the protected health data of over 40,000 patients was discovered on August 23, as reported by the Sioux City Journal.
Moreover, the clinic stated in its advisory that the attack compromised the information of patients registered or treated at the Jones Eye Clinic or at the CJ Elmwood Partners, L.P. affiliated surgery center between January 1, 2003, and August 23, 2018.
During the morning of August 23, the clinic's staff discovered that their computer network was the victim of a ransomware attack which encrypted their data and requested a ransom to unlock the information.
However, the clinic's staff helped by multiple tech companies was able to recover all encrypted files using up to date data backups, therefore not having to pay the ransom requested by the actors behind the cyber attack.
The Jones Eye Clinic was also able to deploy new security protection technology throughout its network to prevent any other future intrusions.
The clinic stated in its notification that although it was able to restore all the locked during the ransomware attack, the attackers could have potentially accessed and exfiltrate the protected health information of the Jones Eye Clinic and the Surgery Center.
The Jones Eye Clinic was able to restore all encrypted files using its data backups
Immediately after noticing the ransomware incident, the clinic started an investigation, hired a professional forensic computer investigator, and notified the FBI.
According to the investigation, the crooks who compromised Jones Eye Clinic's network could have also accessed the patients' scheduling and software software, however, the electronic medical records were left untouched.
The clinic's billing and scheduling software contained patients'"full name, address, date of birth, date of service, medical record number, and a general description of the clinic visit or surgery," says the incident report.
Furthermore, "For some individuals, information may have included Social Security number, insurance status, and claims information. The information did not include other financial information such as bank account or credit information."
All patients impacted by the Jones Eye Clinic ransomware attack were contacted using letters containing the steps that need to be taken by each individual to prevent identity theft and fraud incidents.