April 2019
Editor's Note: Up a Creek
By Lee DeOrio
For The Record
Vol. 31 No. 4 P. 3
It’s come to this. A physician’s practice announced it was closing its doors at the end of this month because hackers wiped clean its computer database. Brookside ENT and Hearing Center, located in Battle Creek, Michigan, refused to pay a $6,500 ransomware demand, prompting the perpetrators to delete all of the practice’s files, according to local news affiliate WWMT.
William Scalf, MD, and his partner John Bizon, MD, told the TV station that they did not pay the hackers because there was no way to guarantee the files’ return. Bizon said the medical record files were encrypted and could not be accessed by the hackers. No information was copied or shared, he said. The partners decided to retire early rather than rebuild their practice from the ground up.
No doubt, this is a mind-boggling case. Where to start? First, if the practice correctly followed the Security Rule, it would have had a data back-up plan in place. “If this part of the rule was in place, they could have used their backups and restored information to a previous date,” says Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, a senior privacy/security consultant at tw-Security and an editorial advisory board member for For The Record.
Another section of the Security Rule notes that log-in monitoring is addressable, which is not the same as optional. “It means if you aren’t doing it, you need to provide the alternatives to this measure,” Lucci says.
Moving on to the Privacy Rule and patients’ right to access. How can the practice simply “decide” to call it quits instead of doing what is required by federal regulation? WWMT caught up with Ann Ouellette, whose daughter is a patient at Brookside. “What am I going to do now, because she just had surgery—who is going to follow up? I’m going to have to start all over again; they don’t know all of what happened during the surgery,” Ouellette said.
Lucci says the breach notification rule classifies ransomware as a breach, which requires individual notification. "All large breaches are investigated and likely the absence of compliance evidence would result in a settlement agreement fine and generally a corrective action plan, but if they decide to permanently close the practice, then that would be off the table,” Lucci says.
It appears that Brookside did not explore every avenue to determine whether there wasn’t something that could have been done to restore the files.
“The worrisome fact of not having records to provide to patients for their ongoing care seems unprofessional,” Lucci says. “Physicians would likely have an ethical duty to do whatever it takes to get the records restored. Bring in forensics experts—investigate, make the investment to conclude this final chapter, and then go retire, but do the right thing, the right way.”
In all likelihood, this story won’t end here. Who knows, perhaps by the time you read this, Brookside will have taken steps to better rectify the situation. But the fact that it happened at all raises several alarming red flags.