Wright & Filippis, Rochester Hills, Michigan, announced it was subject to a cybersecurity and ransomware attack in January that may have impacted patients’ personal health information or personally identifiable information. Reports indicated that an estimated 877,000 people were affected.
With assistance from third-party experts, Wright & Filippis took immediate steps to secure its systems and investigate the nature and scope of the incident that took place January 26-28. The investigation confirmed that an unauthorized party was able to access, and possibly remove, computer files with stored consumer information.
After learning it had been the target of a ransomware attack, Wright & Filippis reported the data breach on November 18 to the US Department of Health and Human Services Office for Civil Rights and the California Attorney General.
On May 2, the company discovered the incident may have impacted patient health information or personally identifiable information, but no evidence was found that the data was misused. Wright & Filippis’ electronic medical record system was not impacted, but the incident may have resulted in unauthorized access to certain files or accounting records that may have contained one or more of the following data elements: name, date of birth, patient number, social security number, financial account number, and/or health insurance information.
Out of an abundance of caution, and in accordance with applicable law, Wright & Filippis said it provided notice to the people affected by the breach so they can take steps to minimize the risk that their information could be misused.
The company said it has worked diligently to determine how this incident happened and is taking appropriate measures to prevent a similar situation in the future. Since the incident, the company has implemented a series of cybersecurity enhancements, including installation of additional endpoint detection and response software, resetting all passwords, and rebuilding affected servers.