Jennie Stuart Medical Center

Hackers placed ransomware on the covered entity's (CE) computer server. The servers stored protected health information (PH)I—addresses, dates of birth, driver’s license data, names, social security numbers, claims information, credit card and bank account information, medical diagnoses, lab results, medications, and other treatment information—for approximately 1,500 individuals. The data on the servers was encrypted and the hackers placed encryption on top of the CE’s encryption, preventing access by the CE. The hackers demanded a ransom, which the CE paid. After payment of the ransom, the CE re-gained access to the data on the server. The CE hired a third party to perform a forensic investigation, and the CE provided a complete copy of the investigative report to OCR. The CE also provided OCR with a detailed analysis of its risk assessment and its determination that the probability that data was compromised was very low. Out of an abundance of caution, the CE expanded its data security monitoring, updated its security management policies, and provided additional training to staff. OCR obtained assurances that the CE implemented the actions listed above.
Location of breached information: Network Server
Business associate present: No