A ransomware attack on Honolulu-based fetal diagnostics firm likely impacted over 40,000 patients

• The compromised information includes patients’ names, dates of birth, addresses and medical data.
• A specially crafted malicious software was used to access the data stored in the firm’s servers and encrypt it.

Honolulu-based Fetal Diagnostic Institute of the Pacific (FDIP) was hit by a ransomware attack that may have compromised the data of around 40,800 patients.

The data of both past and current patients is believed to have been affected by the attack. Information such as patients’ names, dates of birth, addresses and medical data may have been compromised by the ransomware attack.

However, FDIP claimed that no financial data was impacted in the breach. The healthcare organization’s officials claimed it does not store such data in its servers.

According to an official notice published by the firm, the attack was discovered on June 30, 2018. A specially crafted malicious software was used to access the data stored in the servers and encrypt it. Upon learning about the attack, FDIP quickly took action, successfully terminating the ransomware, and restoring its systems using backup files.

“FDIP engaged a leading cybersecurity firm and was able to successfully remove the malware and restore the data using backup files maintained for such a contingency. FDIP takes seriously our responsibility to protect the confidentiality of patients' personal information. Our policies prohibit the improper use, access, or disclosure of patients' confidential personal information,” FDIP said in a statement.

The investigating cybersecurity firm is yet to come to a definitive conclusion about whether any patient data was actually viewed or removed from FDIP’s server. However, in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the healthcare firm will soon be reporting the incident to the US Department of Health and Human Services. FDIP claimed that it has also implemented additional security layers to prevent any future attacks.

“The cybersecurity firm cleansed FDIP's computer systems, confirmed that no malware remained, and implemented additional protections to help avoid any future incidents. We do not expect that patients will experience any harm from this unauthorized disclosure, and there is no action patients need to take at this time,” FDIP said. “However, should any patient receive any suspicious communications or become aware of other activity they believe may be related to this event, please inform us immediately.”