Meigs EMS releases statement on computer hack

Staff Report -

POMEROY — Meigs County EMS has released a statement regarding a “ransomware” computer hack it say occurred earlier this fall.

According to the statement, while EMS information, including patient information, was accessed, there is no information indicating that that data has been used inappropriately. Services are also being offered to those whose information was accessed by the computer attack.

Below is the complete statement from Meigs County EMS:

On October 6, 2016, a ransomware attack was detected on the Meigs County EMS server. Ransomware is a type of malicious software used to deny access to information in an effort to secure monetary payment. Hackers that use ransomware are typically interested in securing payment — not stealing data. We engaged a leading forensics company to conduct an investigation and on October 25, 2016, we found evidence that the hackers had gained access to our EMS server and may have acquired data on individuals related to their treatment by Meigs County EMS.

Based on the forensic investigation, we are confident that the ransomware has been contained. We did not pay a ransom to regain access to any data. Instead, we restored the necessary data from backups. We did not find any evidence indicating that data was extracted from Meigs County’s EMS database as a result of the ransomware attack.

The potentially vulnerable information contained on the EMS database may have included patient names, addresses, treatment information, medical history, insurance information and other medical information. For some individuals, but not all, the information may have also included Social Security number, HIC number (a patient’s unique identification code on his/her Medicare card that includes your nine-digit Social Security number plus a one or two letter suffix) or health savings account benefit card information.

At this time, we also have no information indicating that any patient data has been inappropriately used by anyone. However, we have provided notice to our patients to alert them of the incident and assist them in any way possible. As a precautionary measure, to those with Social Security numbers or HIC numbers that were potentially subject to unauthorized access, we are offering a complimentary one-year membership to Experian’s ProtectMyID® Alert. This product helps detect possible misuse of an individual’s personal information and provides identity-protection support focused on immediate identification and resolution of identity theft.

We take this matter very seriously. We have taken several steps to address this incident responsibly and to further protect our patients’ personal information including:

  • Reported the incident to the Federal Bureau of Investigation;
  • Notifying the Department of Health and Human Services;
  • Reviewing and analyzing our security detection and response processes so we can quickly detect and respond to threats like malware and defend our systems from future attacks; and
  • Scheduling comprehensive data security and privacy training sessions for all employees to increase cyber awareness.

At Meigs County EMS, the health, safety and identity of our patients are of utmost importance.

We extend our sincerest apologies for any inconvenience, and remain accountable. We take our responsibility to protect our patient’s personal information very seriously and have taken steps to help prevent something like this from happening again.

If you have any questions about this incident, please call our dedicated call center at (877) 297-7780 between the hours of 9 a.m. and 9 p.m. EST Monday-Friday, and 11 a.m. and 8 p.m. EST Saturday-Sunday.

Staff Report