Queen Creek, Ariz.-based Desert Wells Family Medicine recently began notifying 35,000 patients that their EHR data was compromised by a ransomware attack.
The clinic's IT system has been down since experiencing the May 21 ransomware attack, Desert Wells said in a Sept. 3 online notice to patients. After investigating the incident, the clinic discovered that the hacker who accessed its IT system corrupted its EHR data, making all records from before May 21 unrecoverable.
The medical center did have the information backed up, but the hacker also corrupted that data, according to the notice.
Desert Wells Family Medicine reported the breach to HHS on Aug. 30 as affecting 35,000 individuals. Patient information exposed by the incident included names, Social Security numbers, addresses, birthdates, billing account numbers, medical record numbers and treatment information.
Desert Wells said there is no evidence that any of the exposed information has been misused and that it is rebuilding patients' health records in a new EHR system. The clinic is compiling patients' data from other sources, including previous providers, hospitals, pharmacies, labs and imaging centers.
"We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause," Daniel Hoag, MD, a family medicine physician at Desert Wells, said in the online notice. "I'm sure many of you have been reading about other healthcare providers in the community, and around the country, that have been impacted by cybersecurity events. For our part, we are continuing to take steps to enhance the security of our systems and the data entrusted to us, including by implementing enhanced endpoint detection and 24/7 threat monitoring, and providing additional training and education to our staff."
Desert Wells also is offering free credit and identity monitoring services to any affected patients.