Utah practice says 320,000 patient records hit in ransomware attack

More than 300,000 patients had data compromised in a July ransomware attack at Premier Family Medical, the physician group disclosed to the federal government last week.

On Saturday, the physician group reported to the federal government that data on 320,000 patients had been compromised as a result of the breach, according to a submission posted by the HHS’ Office for Civil Rights, the agency that maintains the government’s database of healthcare breaches.

Premier Family Medical, which operates 10 primary care, dermatology and orthopedics clinics in Utah, had released a notice of the ransomware attack Aug. 30.

It had not disclosed the number of patients who had protected health information affected in the ransomware attack in the notice, although the physician group said patients who had been treated at any of its locations would be alerted to the incident.

Premier Family Medical discovered it had been hit by ransomware, a type of malicious software that encrypts a victim’s computer files, on July 8, according to the notice. Hackers typically offer to decrypt these files in exchange for a ransom payment.

Premier Family Medical did not specify in the notice whether it paid the ransom demand. Cybersecurity experts, including the Federal Bureau of Investigation, have traditionally discouraged organizations from paying ransoms, arguing that complying with these demands incentivizes cybercriminals. In some cases, hackers have refused to provide an organization with a decryption key, even after receiving a ransom payment.

Premier Family Medical did not respond to a request for comment by deadline.

In its August notice, Premier Family Medical said it was working with law enforcement and technical consultants to investigate the incident and regain access to systems that had been encrypted by the ransomware. Based on the investigation so far, the group said it believes patient data was encrypted, but not accessed, by the hackers.

“Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems,” Robert Edwards, Premier Family Medical’s chief administrator, said in the notice.