Getty Images/iStockphoto

Houston Provider Delayed Notice of Ransomware Attack for Months

The data breach at Gastroenterology Consultants occurred in January, but patients only began receiving letters about the ransomware attack in early August.

Gastroenterology Consultants in Houston, Texas, began notifying over 161,000 patients of a January ransomware attack on August 6. The notification came as a surprise to many patients who were unaware of the breach for months, KHOU 11 Investigates reported.

Texas law requires businesses to notify the Attorney General’s Office of a data breach within 60 days if it impacted more than 250 individuals. Gastroenterology Consultants did notify federal authorities at HHS’ Office for Civil Rights (OCR) on March 19, but failed to notify Texas officials of the cyberattack until August 9.

The provider posted a notice on its website on March 19 as well, notifying all patients of the January 10 ransomware incident that may have exposed Social Security numbers, files containing patient processing information, and other personally identifiable information (PII). The EHR system was not impacted.

But patients told KHOU 11 Investigates that they had no reason to ever check the speciality practice’s website and were unaware of the data security incident until they received a letter in the mail seven months after the breach.

“After undertaking an extensive data mining process to determine specifically whether any patient or employee had any sensitive Personal Information or Personal Health Information exposed, we, unfortunately, learned that the time and effort to manually review thousands of documents was not cost-effective,” Gastroenterology Consultants explained in its March 19 statement.

“Therefore, although there is no evidence of any unauthorized use of patient or employee data, we have determined it best to issue mail notifications to all employees and patients detailing the specific type of information potentially exposed.”

Those letters took months to reach patients’ homes, leaving many concerned about the safety of their data. When one patient called the provider and its law firm to ask why it took multiple months to receive a letter, he was dissatisfied with the response.

“Well, it took us a while to find your address,” the law firm told Del Murphy, according to KHOU 11 Investigates.

“Doesn’t take very long to find my address if I forget to pay my bill,” Murphy remarked.

When patients received the notice, they also discovered that Gastroenterology Consultants had paid ransom money to the hackers in exchange for assurances that their data would be deleted.

“Based on our negotiated resolution with the attacker, we received assurances that any potential exfiltrated data had been destroyed,” the letter explained.

Both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have repeatedly condemned paying the ransom to hackers, as is does not guarantee that the breached data will be secured or deleted. In addition, it may incentivize hackers to commit more cyberattacks in the future.

“You can pay them off, but how do you know? How do you know that they really got rid of your information,” asked Amber Wietlispach, a patient at Gastroenterology Consultants, in the local news report. “How do you trust somebody that you had to pay money to?”

Gastroenterology Consultants provided free credit monitoring and identity theft services only to the small fraction of patients whose Social Security numbers were impacted by the ransomware attack. The provider did not comment on why it took many months to notify authorities and send letters to patients.

Next Steps

Dig Deeper on Healthcare data breaches