Family Health Center of Worcester Reports Cyber Attack
Worcester, MA -- Family Health Center of Worcester, Inc., (FHCW), a nonprofit, Federally Qualified Health Center that provides care for 35,000 low-income residents, today announced that it has notified affected patients of a recent attack on its computer systems by unauthorized third parties using a malicious software (“malware”). Following a forensics investigation of the cyber attack, Family Health Center was able to determine that there is no evidence that protected health information (PHI) including medical and/or personal information was stolen, viewed, or used by any third party in relation to this incident.
On October 6, 2020, several Family Health Center employees received phishing emails which contained a malicious software (“malware”). Phishing is when an outside party poses as a trusted source through an email and directs the recipient to respond to or interact with the email as a means of gaining unauthorized access to the recipient’s email account or information system. During the evening of October 6, 2020, Family Health Center discovered the malware deployed through a phishing email had launched an attack on computer systems by unauthorized third parties. The malware encrypted certain PHI, making that information inaccessible. The goal of this attack was to obtain a ransom payment from Family Health Center in exchange for access to the computer network and related information. Family Health Center’s Information Technology (IT) Department acted swiftly to shut down all systems to stop the attack. The sudden shut down of systems caused information related to patient visits on the day of the attack, October 6, 2020, to not be backed-up (saved) in the system. There is no evidence that any PHI was used, taken, or viewed by any unauthorized third party. Family Health Center takes the security and privacy of personal information very seriously and has taken steps to prevent a similar event from
occurring in the future.
Information that was stored in the affected systems included medical records and may also have included full names, Social Security numbers, dates of birth, home addresses, phone numbers, account numbers, age, insurance information, next of kin, employer information, preferred pharmacy, diagnosis, and disability codes. Health information that was not backed-up or saved on October 6, 2020 may have included information from after hour call notes, telephone calls, nurse visits, provider visits, orders (lab, referrals, diagnostics, prescriptions), visit notes, and billing.
Upon discovering the attack, Family Health Center immediately shut down all systems and devices to stop the attack, initiated mitigation protocols including removing all phishing emails from the systems, wiped clean the system, and initiating system restorations and data recovery efforts. Family Health Center did not pay a ransom to the attackers. The health center was able to block the attack and rebuild systems using back-up data.
Family Health Center hired a computer forensics consulting firm to conduct an outside investigation and forensic review of the incident, along with several IT consultants who specialize in data security to remediate the attack. Family Health Center built a new IT infrastructure to include new security and enhanced security protocols, and new backup and disaster recovery systems. The health center hired legal counsel who specialize in privacy and security to advise and assist with required governmental notifications. Health center staff have received training on new security measures, and ongoing security audits will be implemented to reduce the risk of such attacks occurring in the future. Family Health Center is reviewing and updating our information security policies and protocols in light of this attack and the rise of current cyber threats to the U.S. health care system.
Family Health Center identified all patients with appointments scheduled on October 6, 2020 who may have been affected by the incident. These patients each received a letter offering a repeat appointment at no cost, along with a HIPAA notification. Family Health Center established a toll-free phone line for patients to call with any questions related to this incident and/or to reschedule an appointment.
Patients who have questions regarding this incident are encouraged to call 1-833-640-1633 to speak with a member of the health center. This dedicated phone line has a private voicemail where patients may leave a message with their contact information, and all calls will be returned as soon as possible during business hours Monday through Friday, 8:30 a.m. to 5:00 p.m.
Family Health Center remains committed to protecting patient privacy and meeting patient’s comprehensive health care needs with high quality services.
As a matter of practice, Family Health Center encourages its patients to remain vigilant to the possibility of fraud and identity theft by reviewing credit card, bank, and other financial statements, as well as claims made using their insurance for any unauthorized activity. If individuals detect any suspicious activity, they should notify the entity with which the account is maintained, and promptly report the suspicious activity to appropriate law enforcement authorities, including the police and the state attorney general. In addition, anyone looking for information on fraud prevention can review tips provided by the FTC at
www.ftc.gov/idtheft (link is external).