Medical Provider Waited Months to Send Letters to Patients Regarding Ransomware Attack

When the letter finally arrived, it contained disturbing news about a deal made with the hackers.

HOUSTON – A local healthcare provider attacked by a ransomware virus failed to send letters to patients notifying them of the data breach for months, KHOU 11 Investigates confirmed.

Gastroenterology Consultants sent notices to more than 161,000 patients on August 6, informing them of a “data security incident” that occurred on January 10.

“It’s just ridiculous,” said patient Amber Wietlispach.

But the late notification is not the thing that bothers patients. The letter also stated that the company paid the hackers a ransom and then trusted the criminals to keep their word on the deletion of the data.

“Based on our negotiated resolution with the attacker, we were assured that all potentially exfiltrated data had been destroyed,” the letter said.

For Wietlispach, the so-called insurance offers no peace of mind.

“You can pay them back, but how do you know? How do you know they really got rid of your information? ” she said. “How do you trust someone you’ve had to pay money to?” “

Gastroenterology said only a fraction of its patients had seen their social security numbers compromised and the data hacked was limited to names, addresses and some personal health information. The company said its patient medical record system was not affected by the incident.

“Gastroenterology immediately changed all passwords, logged off its systems and launched a full forensic investigation to determine the nature and extent of the incident in order to understand the vulnerability of its network,” said the company in a press release.

However, the company did not promptly report the hack to state authorities. Under Texas law, companies are required to notify the Attorney General’s office within 60 days of any data breach affecting more than 250 people. Records provided by Gastroenterology show that the notification did not take place until August 9, seven months after the data breach.

“It’s laughable, it’s contemptible,” said patient Del Murphy.

Murphy is a long-time former software assurance expert for NASA and no stranger to the world of hacking.

“I’m a data expert,” he said. “I know what can happen and the seriousness of it and frankly it scared me.”

Gastroenterology Consultants said the company notified federal authorities in the U.S. Department of Health and Human Services on March 19, and also informed patients of the incident in advance by posting a notice on its website. But neither Wietlispach nor Murphy said they had a reason to check the website regularly. Murphy said he repeatedly called the company and its Los Angeles-based law firm to ask them why it took months to receive a letter in the mail.

“Well, we took a while to find your address,” Murphy said.

“It doesn’t take long to find my address if I forget to pay my bill,” he said.

Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization, said timely notification is essential and hoped the Texas attorney general’s office would take strong enforcement action.

“Every second that you are not aware of this breach increases the risk of identity theft,” said political lawyer Emery Roane.

“You are not in a position to make the most informed decision possible to freeze your credit or obtain identity protection services. “

Gastroenterology Consultants said it only provides free credit monitoring and identity theft restoration services to the small number of patients whose social security numbers have been affected. He did not explain why it took months to notify state officials, but said he revised his policies and procedures to mitigate the risk of future problems.

“Gastroenterology sincerely regrets any inconvenience or concern this matter may cause and remains committed to ensuring the confidentiality and security of all information under our control,” the company statement said.

Jeremy Rogalski on social networks: Facebook | Twitter | Instagram