This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

  Today in health it we're gonna play a little game. We're gonna look at a ransomware incident, how this organization responded, and just pick out how many things they did wrong in such a short period of time. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week Health it, A channel dedicated to keeping Health IT staff current.

Just shoot me a note at Partner at this weekend, health it.com. All right. Let's get to today's story. Sometimes you have to look at the absurd in order to make a point of it so that people can avoid some of these things. So here it is. It's from KH u.com, which is a, I assume, a TV station out of the Houston area.

Medical provider waited months to send patients letters about ransomware attack. Here's the excerpts. A local healthcare provider attacked by a ransomware virus did not send letters to patients informing them of the data breach. Four months. Gastroenterology consultants mailed notices to more than 161,000 patients on August 6th, informing them of a data security incident that occurred on January 10th.

That's quite a number of months. One patient said it is just ridiculous, but the delayed notification is not the thing upsetting patients. The letter also indicated that the company paid the hackers ransom money and then trusted the criminals to keep their word about deleting the data. Well, who better to trust than the people who hacked you and stole the information based on our negotiated.

Resolution with the attackers. We received assurances that any potential exfiltrated data had been destroyed. The letter stated, wow, that would make me feel better if I was one of those patients. The so-called assurances do not offer any peace of mind to the patients. You can pay them off, but how do you know?

How do you know that they really got rid of the information? How do you trust somebody that you had to pay money to? Gastroenterology said only a fraction of its patients had their social security numbers compromised, and the hack data was limited to names. Addresses and some personal health information.

The company said its patient medical record system was not impacted by the incident. Gastro neurology immediately changed all passwords, disconnected its system, and launched a full forensic investigation to determine the nature and scope of the incident. To understand the vulnerability of its network, the company said in a statement.

However, the company did not promptly report the hack. Two state authorities under Texas law businesses are required to notify the Attorney General's office within 60 days of any data breach affecting more than 250 people. Records provided by Gastro neurology show that the notification didn't occur until August 9th, seven months after the data breach.

Gastroenterology consultants said that the company did notify federal authorities. At the US Department of Health and Human Services on March 19th, which they're required to do by law and also preliminarily notified patients. Of the incident by posting a notice on its website , but none of the patients who they interviewed for this piece has any reason to check the website on an ongoing basis, so they did not know that this had happened.

One of the patients repeatedly called the company and its Los Angeles based law firm, asking why it took months to get a letter, and they said, well, it took a while to find your address. And the response was, doesn't take very long to find my address when I forget to pay my bill, which is probably true.

Privacy Rights Clearinghouse and consumer advocacy nonprofit said timely notification is critical and hoped the Texas Attorney General's office would take strong enforcement measures every single second that you are not aware of a breach. It's increasing the risk of identity theft. Policy counsel Emory Rowan said you are unable to make the best informed decisions about whether to freeze your credit or get identity protection services.

Gastro neurology consultants. Outta the kindness of their hearts said it provided complimentary credit monitoring and identity theft restoration services, but they only did it to a small number of patients whose social security numbers were impacted. It did not comment on why it took months to notify state authorities.

But said it's revised its policies and procedures to mitigate the risk of future issues gastroenterology. Sincerely regrets any inconvenience or concern that this matter may cause, and remains dedicated to ensuring the privacy and security of all information in our control. The company stated. Wow.

What's the so what on this? I mean, it's, it's almost like a, where's Waldo count? The number of mistakes they made in this process. Number one, they don't seem to value the patient's identity or security for starters. This is an organization that decided to notify people by posting something on their website, which they know full well.

You can just look at the statistics. If you had 161,000 patients breached, just look at the stats of your website and figure out how many people hit your website a day. My guess is it's somewhere in the hundreds, maybe even close to a hundred based on the number of patients they have, and they're thinking that 161,000 people are gonna check that website.

They know better. And they should have made every effort to get the information out there. You have to come clean in these situations. If not, by law, I mean, clearly the law states that you have to let HHS know you have to let the local, uh, state authorities know as well. So that's just problem number one.

But I think it's indicative of a cultural problem that they do not respect their patients, and there appears to be some underlying . Aspect of this, that they're trying to get outta this with as little cost to them as possible. When you look at the fact that they provided identity protection to just those people with social security numbers, that's ridiculous.

I mean, you're talking about an outlay that is, I, I, I guess it is a fair amount of money when you're talking maybe . A hundred bucks, 200 bucks a person, and you're talking 161,000 patients. Yeah, clearly that is a fair amount of money, but that's the price of security for a healthcare provider, and this is a healthcare provider.

They are collecting sensitive information about patients, and they should either have insurance to cover that cost or they should have the wherewithal to have that kind of money available. In the event of a breach such as this, uh, it is hard to believe that they did not cover more of those patients.

It's hard to believe that they did not make this known to the community and to those around them. They negotiated with ransomware terrorists, essentially, and then took them at their word. Again, this is the kind of information I would want to know as a patient. They are really playing roulette with my information, with my identity, with my accounts and my life, and that's the kind of thing I would expect them to take seriously into, inform me of as soon as is possible given the nature of the investigations that had to go on.

And the other thing is I read this thing and. I, I'm not entirely sure that they are not at risk for another breach in the near future. If this were a provider that I was going to for care, I would find a different provider. So that is our object lesson for the day I. And if you are this kind of provider or some kind of small provider, you need to get help.

You need to get the right amount of budget to go out and find an organization that can help you put the right security measures in place to protect against ransomware and other types of attacks. And I understand this is probably a small IT shop, but if you are collecting this information. It is a requirement to get the help you need to ensure that you have the security in place that you need.

That's all for today. If you know of someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com, or wherever you listen to podcasts. Apple, Google Overcast, Spotify, Stitcher, you get the picture. We are everywhere. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders.

VMware Hillrom, Starbridge Advisors. McAfee and Aruba Networks. Thanks for listening. That's all for now.