Frequently Asked Questions about Associates in Psychiatry & Psychology's Security Breach
Q: What exactly happened?
A: Sometime between Friday evening, March 30th and Saturday morning, March 31, 2018, hackers from Eastern Europe, breached APP’s servers and did the following:
Encrypted all the data files on our main servers with an RSA2048 encryption protocol.
Disabled the system restore function on all affected computers Reformatted our network storage device where we maintained our local backups.
Left a ransom note indicating the cost and payment method for restoring our systems.
Q: What is Ransomware?
A: Ransomware is the computer equivalent of a criminal breaking into your house and putting all your important documents into a large safe and locking it, then demanding money for the combination.
In our case, the specific type of Ransomware that affected APP was called “Triple-M” which is one of a family of “crypto-ransomware” strains that uses extremely long keys (passwords) to encrypt data on infected systems. Unlike other forms of computer-hacking, ransomware has the sole objective of coercing victims into paying ransom.
Q: Does someone now have my private information?
A: There is no evidence that any APP patient data was viewed or copied during the breach.
All of APP’s patients’ personal information is stored in databases on APP’s computers. The data, which contains names, addresses, phone numbers, insurance claim processing information and diagnostic and treatment information, is not in any format that anyone could easily browse or copy unless APP’s practice management or electronic health records programs were used. Neither of these applications were accessed during the breach.
Q: Was any of my banking, credit card, or financial information exposed?
A: Credit card information is kept in a separate encrypted cloud-based system and was not affected by this breach. APP does not maintain any other personal financial information on our computers.
Q: Why are APP’s systems connected to the internet?
A: The Health Insurance Portability and Accountability Act (HIPAA) requires medical practices to provide patients with internet access to their personal records (45 CFR § 164.524). Our practice management system also has internet connections in order to bill insurance companies, send appointment reminders, and generate patient statements.
Q: Has APP improved its security since the breach occurred?
A: Yes. We have severely limited access to APP systems from outside of our network and continue to work with experts on improving our network security.
Q: Can I get a copy of anything APP has in their files about me?
A: Yes. The simplest method is to sign up for the patient portal. You will be able to sign into your account and view or print any of your patient records. If you would like access to the APP Patient Portal, please contact our office manager Jessie (OfficeMgr@appmn.com) to sign up for this free service. If you are a current patient, you can also ask for the enrollment forms at the front counter.
Q: Can I have my data deleted?
A: Unfortunately, we are required to keep patient data for seven years after the last visit. Patient data is removed after that retention period.
Q: What should I do in light of this breach?
A: It’s a good practice to check your credit reports on a regular basis. Although there is clear evidence that your data was not viewed, this might be a good time to request a free credit report online at www.annualcreditreport.com or by telephone at 1-877-322-8228. If you notice anything unusual on your credit report, you should call the telephone number listed on the credit report or visit the Federal Trade Commission’s Web site at http://www.consumer.gov/idtheft/.
Q: Why are we just hearing about this now when the breach occurred at the end of March?
A: If you had a break-in at your house, the first things you would probably do is call the police, call your insurance company, and fix your doors and locks. That’s what APP did. We reported the breach immediately to the FBI and have been working to improve our overall network security over the last few weeks.
Q: Can I speak to someone at APP about this breach?
A: Yes, patients with specific questions about the breach may call 507-288-8544. You can also send questions to WeCare@appmn.com . Please do not include any personal health information in any e-mail to APP.