Otolaryngology Associates, a group practice with 13 offices in Indiana, experienced a cyberattack affecting 316,802 individuals.
The practice became aware of the cyberattack Feb. 17, according to a notice on its website.
The practice said it was not locked out of its systems, but that the attacker sent three communications Feb. 20 and Feb. 21 claiming to have stolen some of the company's data and threatening to release it publically. The practice said it then took steps to further secure its network and contacted the FBI and a forensic cybersecurity firm to investigate the incident.
The investigation determined that the attacker ran programs to steal data from the company's systems but did not view individual documents or access the practice's medical records system. However, the practice said it could not rule out that personal and protected health information of patients and staff was compromised.
Information that may have been compromised includes certain billing information and identifying information such as Social Security numbers, driver’s license numbers, appointment schedules and insurance plan numbers. Bank account and payroll information for staff may have also been impacted.
Otolaryngology Associates said it has implemented additional security measures, has mailed notification letters to all potentially affected individuals and is currently monitoring the situation for further updates.
The cyberattack was submitted to the HHS Office for Civil Rights Breach Portal April 1.