Houston-based Gastroenterology Consultants began notifying 162,000 patients their data may have been exposed in a ransomware attack more than seven months after the attack, according to a Sept. 9 report by Houston-based KHOU 11.
The Jan. 10 ransomware attack potentially exposed 162,163 patients and employees, according to data shared Aug. 6 by the Maine attorney general's office.
The Texas medical group said it resolved the cyber issues and remediated and restored its systems, according to a March 19 news release. After undergoing an extensive data-mining process to determine specifically which patients or employees had information exposed, the medical group felt it was more cost-effective to notify all patients and employees instead.
Under Texas law, businesses are required to notify the Texas Attorney General's Office within 60 days of a data breach affecting more than 250 people. However, records provided to the publication from the medical group show that notification didn't occur until Aug. 9, seven months after the data breach, according to the report.
Patients were upset about the delayed notification, but also that the company indicated they paid hackers to delete the data.
"Based on our negotiated resolution with the attacker, we received assurances that any potential exfiltrated data had been destroyed," the letter mailed to patients said.
"You can pay them off, but how do you know?" Amber Wietlispach, a patient with the medical group, told the publication. "How do you know that they really got rid of your information? How do you trust somebody that you had to pay money to?"
Gastroenterology Consultants said the company notified HHS March 19 and posted a data breach notice on its website. Patients told KHOU that they had no reason to regularly check the website. The medical group didn't comment on the reasons for waiting seven months to notify state authorities, but said it has revised its policies and procedures to mitigate future risks, according to the report.
"Gastroenterology sincerely regrets any inconvenience or concern that this matter may cause and remains dedicated to ensuring the privacy and security of all information in our control," the company told the publication.