A January ransomware attack on Cochise Eye & Laser, based in Sierra Vista, Arizona, has put the electronic protected health information ( ePHI) of up to 100,000 people at risk. The attack has also prevented the company from accessing its scheduling and billing system, forcing staff to resort to paper records to continue operations.
What is Cochise Eye & Laser?
RF Eye Professional Corporation, doing business as Cochise Eye & Laser, was founded in 1979 by ophthalmologist Thomas Rodcay to serve Cochise County, located in southeastern Arizona. Although Rodcay retired in 2016, he helped grow Cochise Eye & Laser over the next three decades to operate three facilities—two in Sierra Vista and a Wednesday-only clinic in Benson—anchored by ophthalmologists and optometrists.
What have Cochise clients been told?
On Feb. 17, the company posted a notice to its website disclosing that a data breach had occurred on January 13 via a "ransomware virus" that encrypted its patient scheduling and billing systems. The latter included patient birthdates, addresses, phone numbers, and in some cases Social Security Numbers. "There is no evidence that the data was taken, only that it was encrypted, and in some cases deleted, making it impossible for us to access anything in our scheduling system," the notice explains. "Although there is no evidence the data was taken, this is considered a breach of protected health information." As a result, Cochise advises its patients to place a fraud alert on their credit file with providers like Equifax, Experian, or TransUnion.
What else is known about the attack?
As required by law, Cochise Eye and Laser reported the hack to the Office of Civil Rights at the U.S. Department of Health and Human Services on February 12, explaining that the "hacking/IT incident" involved a network server, and may have affected 100,000 individuals. As a result of the breach, Cochise has for now fallen back to hardcopy-based operation, reconstructing schedules via paper charts and contacting any patient who had come in so far this year to determine when they should come in for follow-up appointments. Meanwhile, the company says it is working to recover data, increasing its security measures, and establishing offsite backups.
SEE ALSO: Avoid the Worst-Case Scenario with a Business Continuity Plan
How could this hack been prevented?
There are limited details available about the ransomware attack, and the investigation is ongoing. While Cochise says that it is investing in data recovery and offsite backups, neither offer hints as to what weakness was exploited to encrypt its business server. We do know that email is the most common threat vector. Hackers often leverage social engineering tactics via phishing emails to trick employees to open and install malware. To mitigate this common risk, companies should start by implementing email best practices, reinforcing them through regular cybersecurity training. Fortunately, there are also technical countermeasures that can be deployed to keep malicious emails from reaching employees in the first place. Enabling HIPAA compliant email with Paubox Email Suite Plus is an important part of preventing the unauthorized disclosure of PHI through our inbound and outbound email security features. It comes with inbound email security tools that protect against ransomware, viruses, phishing emails, display name spoofing emails, and more.
Try Paubox Email Suite Plus for FREE today.