Ransomware Attack on Orthopedic Associates of Dutchess County and Entrust Medical Billing

Orthopedic Associates of Dutchess County, a New York medical group practice, has made an announcement about the potential theft of protected health information (PHI) of a number of patients during a cyberattack recently.

The security event was noticed on March 5, 2021 after discovering suspicious activity within its systems. A probe into the occurrence verified the unauthorized access of certain persons in its network on or about March 1, 2021. The attackers obtained access to a number of systems and encrypted files and made a ransom demand to get the keys for unlocking the encrypted files.

The hackers professed they had ripped off sensitive information before encrypting the files, even though it wasn’t possible to identify which files were compromised. An assessment of the systems, which the attackers accessed showed they comprised files with PHI including names, addresses, email addresses, contact phone numbers, dates of birth, payment data, emergency contact details, diagnoses, treatment data, medical record numbers, health insurance details, and Social Security numbers.

People likely impacted by the breach were alerted via mail and were given a one-year complimentary membership to credit monitoring and identity theft protection services. Thus far, there are no reports of actual or attempted improper use of any patient data.

The attack resulted in the potential compromise of the PHI of 331,376 persons.

PHI of 5,426 Persons Exposed in Entrust Medical Billing Ransomware Attack

Entrust Medical Billing, a medical billing firm located in Canton, OH, has encountered a ransomware attack that caused the probable exposure of the PHI of 5,426 people.

Third-party cybersecurity experts were hired to investigate and find out the scope of the breach. On or about March 1, 2021, the investigation established that the hackers had exfiltrated a number of the files that contain PHI like names, birth dates, addresses, health diagnosis/clinical data/treatment type or location, healthcare procedure details, medical insurance data, and patient account number.

Though the investigation affirmed the data theft, there is no proof identified that shows attempted or actual misuse of the stolen information. Impacted persons have already been advised and those who had their Social Security numbers exposed got offers of free credit monitoring services. The company likewise enforced new technical safety measures and amplified its monitoring campaigns throughout its network environment.