Privacy & Information Security Law Blog

On June 26, 2017, Airway Oxygen, a provider of oxygen therapy and home medical equipment, reported that it was the subject of a ransomware attack affecting 500,000 patients’ protected health information. The attack is the second largest health data breach recorded by the Office for Civil Rights (“OCR”) this year, and the largest ransomware incident recorded by OCR since it began tracking incidents in 2009.

According to Airway Oxygen’s statement, the company discovered the presence of ransomware on its systems in April 2017. The company’s investigation determined that attackers were able to access 500,000 patients’ names, addresses, birth dates, telephone numbers, medical diagnosis and treatments, and health insurance policy numbers. The personal information of approximately 1,160 current and former employees was also compromised. The company has not commented on whether the demanded ransom was paid.

This reported incident follows last month’s WannaCry ransomware attack, which affected tens of thousands computers in over 100 countries. It also comes on the heels of a massive malware attack reported on June 27, which shut down computers all over the world. The malware involved in the June 27 attack mimicked many characteristics of ransomware, but its ultimate objective was to wipe the hard drives of infected networks, without giving victims the opportunity to pay to retrieve their data. Researchers believe that attackers designed the malware to mimic ransomware in order to leverage the widespread media attention garnered by the WannaCry attack.

As the events of the past two months have shown, ransomware is a growing concern. These recent high profile attacks are part of an overall trend in the evolving threat landscape. Businesses and other organizations should take into account the myriad legal considerations in their efforts to prevent, investigate and recover from these disruptive attacks.