Monday, October 10, 2016

Ransomware and incompetence in backups leads to medical data loss...but the thieves were honest thieves!

"An honest thief!" said Caledon Hockley of Jack Dawson, after planting the Heart of the Ocean diamond necklace in Jack's pocket.

The headline of this posting may sound absolutely insane, but it is factual.

But don't worry, your precious medical data is far safer than it ever was on that 5,000-year-old invention, papyrus.

Marin patients’ medical data lost after cyber attack
By Richard Halstead, Marin Independent Journal   
September 30, 2016

The Marin Healthcare District and Prima Medical Foundation are notifying more than 5,000 patients that some of their medical data was lost due to a glitch that followed a ransomware attack in August.

There's that all-purpose euphemism again, "glitch", which in this case is a euphemism for negligence.  See blog query link for more on "glitches."

Prima Medical Foundation supports the Prima Medical Group, many of whose doctors work closely with Marin General Hospital.

I covered the wondrous EHR at Marin General Hospital at my May 17, 2013 post "Marin General Hospital nurses warn that new computer system is causing errors, call for time out" at, and my May 20, 2013 post "Marin General Hospital's Nurses are Afraid a Defective EMR Implementation Will Harm or Kill Patients .. CEO Cites Defective HHS Paper and Red Herrings As Excuse Why He Knowingly Allows This To Continue" at

The computer records of Marin Medical Practice Concepts, a Novato company that provides medical billing and electronic medical records services to many Marin physicians, were hacked on July 26. As a result, some Marin doctors were unable to access their patients’ medical records for more than a week.

More than a week with no records is, needless to say, putting patients at great risk.

Responding to questions from the Independent Journal on Aug. 4, Lynn Mitchell, CEO of Marin Medical Practice Concepts, confirmed the malware attack. In her email, Mitchell wrote, “Ransom was paid. For security reasons we will not be releasing the amount or denomination paid.”

That really inspires confidence.

Typically in such ransomware attacks, a sophisticated computer virus finds its way into a victim’s system when an unsuspecting employee opens an email attachment. The virus encrypts the system’s data and attackers essentially hold the data hostage until the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin.

A virus "finds its way" into a victim's system?

Let me rephrase into the politically incorrect, but factually correct, "due to incompetence in computer security. evil people are able to infiltrate the virus into a life-critical EHR system."

The Marin Healthcare District and Prima Medical Foundation issued nearly identical press releases on Wednesday, stating, “The third-party forensic firm hired to investigate this incident found no evidence that patient personal, financial, or health information was accessed, viewed, or transferred.

I guess they never considered that such evidence could have been removed by the hackers, who obviously had just a bot more IT expertise than the average high schooler.

But, of course, the thieves were honest thieves who would NEVER steal valuable medical charts for profit on the black market...

Here's what I consider the very worst part of this incident:

“However, during the restoration process, one of MMPC’s backup systems failed, causing information to be lost that was collected at the district’s nine medical care centers between July 11, 2016 and July 26, 2016.”

I note that a "backup system failing" causing data loss is a "never" event.  Incompetence...

The release went on to say: “This information includes vital signs, limited clinical history, documentation of physical examinations, and any record of the communication between patients and their physician during a visit in that 15 day period. Results of diagnostic tests were not lost and patients do not need to be re-tested.”

But patient safety was not compromised...

Jamie Maites, a spokeswoman for Marin General Hospital, said, “The ransom unlocked the data; however, at the time of the incident, we were in the middle of a system upgrade. The data loss occurred at the time of the system restore due to a faulty backup system — not due to the malware.”

Well, that's certainly reassuring.

Maites said Marin General’s systems were unaffected by either the ransomware or the failed backup systems. The patients being notified are patients of physician practices that are part of the Marin Healthcare District Medical Care Centers and Prima Medical Foundation.

The hackers were generous in sparing the hospital.

In a statement, Lee Domanico, chief executive of the Marin Healthcare District, said, “Our community can rest assured that the Marin Healthcare District will continue to work side by side with our vendors to ensure that all of our data is protected with today’s most advanced technology to reinforce their security systems against the most aggressive threats.”

Lee Domanico is the same CEO who I cited in my aforementioned posts who in 2013, after dire nurse warnings, brilliantly assured the board that the hospital was safe, despite "glitches" in the new system and that "I'm confident that in spite of the implementation issues, we have a system today that is safer for patients than our old paper system, and it will get even safer as we gain experience with it and work to fix some of the glitches we've experienced."

In a similar statement, Dr. Robert Newbury, chief executive of the Prima Medical Foundation, said, “It is unfortunate that these types of cyber-attacks have become so common.”

I would more precisely state that it is unfortunate that health IT leaders are so incompetent that they cannot secure their own life-critical systems.

... According to a report issued by the Attorney General’s Office in February, in the past four years the attorney general has received reports on 657 data breaches affecting a total of more than 49 million records of Californians.  The report said that malware and hacking present the greatest threat, accounting for 54 percent of the breaches. The report added that health care, which accounted for 16 percent of breaches, is starting to see an increase in hacking breaches as the sector transitions to electronic medical records. And it said that the “most vulnerable information in health care was medical information, such as patient records, and Social Security numbers.”

I really have to ask if the (increasingly elusive) benefits of EHRs warrant this level of security risk - let alone the known risks of bad health IT aside from security issues.

-- SS


Michael D. Shaw said...

@Scot--Did like that Titanic reference. Glitch!

Sailor who takes selfie aboard sub = Dastardly criminal

Sec State who deletes thousands of e-mails and uses insecure platform = Glitch!

Anonymous said...

No evidence of outcomes benefit from HIT.

Anonymous said...

Ongoing issues as to why the HITECH programme is one of the largests frauds on the citizens of the USA.