A new data breach and malware incident reinforces the need for organizations to vet cybersecurity for their vendors, as well as themselves.
Some patients at the Cincinnati-based Mayfield Brain & Spine clinic received emails containing malware after an unauthorized person accessed the provider's account through an outside vendor, according to a statement on Mayfield's website. The vendor sends educational information, clinic announcements, newsletters and other Mayfield-related information to patients.
Those who received the fraudulent email were directed to download an attachment that triggered the download of a ransomware virus.
"Mayfield's first priority is always the well-being of our patients," Thomas Rosenberger, vice president of communications for Mayfield, said in statement. "Once we learned of the incident, we immediately communicated with recipients by email, by social media and on our website, including both notification and instructions on how to remove the virus."
The clinic has sent information to patients on how to remove the malware, begun to work with the vendor's compliance office to understand how the breach happened and reviewed its policies to protect against further misuse of patient information.