Analecta Cyber Company Blog: Michigan Complete Chiropractic & Bodywork Therapies notified 4,082 patients after discovering malware

2016-05-27

Michigan Complete Chiropractic & Bodywork Therapies notified 4,082 patients after discovering malware

A Michigan-based healthcare provider known as Complete Chiropractic & Bodywork Therapies had notified a total of 4,082 of their patients following the discovery of malware in their network. The malware It  It was discovered during the latter part of 2015 when the malware was injected to their system in attempts to gather patient's information.

The provider posted the notification in their web site just a couple of days ago. CCBT states that they have learned through the investigation that a company server was accessed by hackers.

The compromised server contained sensitive information including patient treatment and billing information. Other information available on the server included patient's name, date of birth, address, social security number, and health/diagnosis information. Luckily, this information was all encrypted. The investigation wasn't able to prove whether patient information was actually taken or misused, but they cannot rule out the possibility.

CCBT informed patients that following the discovery of the server malware, they had immediately secured the compromised server by disconnecting it from the Internet. They changed all workstation and vendor passwords and have added additional IT security protections such as additional external firewalls which will help monitor incoming and outgoing traffic on their network.

CCBT also tapped the services of an forensic experts to aid them investigate the whole incident. According to the forensic experts the malware had been operating since mid November 2014.

The forensic experts backed CCBT's claim which states that, though their server was accessed by hackers, no indication that patient's protected health information was actually taken or improperly used. CCBT is hopeful that the information on the compromised server will not be used for fraud or identity theft.

Through a third party service provider, CCBT will provide patients one year of identity theft protection for free. They've also provided them with response measures to protect their information from identity theft.
CCBT expressed their disappointment about the security breach, but reaffirmed that they are taking the matter very seriously and are working hard to ensure that this does not happen again in the future. They've also retained new IT security professionals as part of security enhancement procedures.