Wright & Filippis, Rochester Hills, Michigan, announced it was subject to a cybersecurity attack in January that may have impacted patients’ personal health information or personally identifiable information. With assistance from third-party experts, Wright & Filippis took immediate steps to secure its systems and investigate the nature and scope of the incident that took place January 26-28.
On May 2, the company discovered the incident may have impacted patient health information or personally identifiable information, but no evidence was found that the data was misused. Wright & Filippis’ electronic medical record system was not impacted, but the incident may have resulted in unauthorized access to certain files or accounting records that may have contained one or more of the following data elements: name, date of birth, patient number, social security number, financial account number, and/or health insurance information.
Out of an abundance of caution, and in accordance with applicable law, Wright & Filippis is providing notice so that affected individuals can take steps to minimize the risk that their information could be misused.
The company said it has worked diligently to determine how this incident happened and is taking appropriate measures to prevent a similar situation in the future. Since the incident, the company has implemented a series of cybersecurity enhancements, including installation of additional endpoint detection and response software, resetting all passwords, and rebuilding affected servers.