[BreachExchange] Salem Clinic affected in ransomware attack aimed at Portland-based mail-processing business

Fri Jan 22 10:47:07 EST 2021

https://www.statesmanjournal.com/story/news/crime/2021/01/20/clinic-affected-ransomware-attack-aimed-portland-based-business/4238518001/

The Salem Clinic staff is notifying more than 20,000 patients about a
nearly two-year-old data breach targeting their service provider,
Metro Presort, that may have compromised names, addresses and health
identification.

The ransomware attack on Metro Presort, a Portland-based printing and
mail processing business, occurred May 6 through 15 of 2019 during
what was thought to be a server outage.

Criminals demanded payment to unlock the company's systems and
information and made the data stored on them unusable, including all
customer data files, according to Metro Presort officials.

Metro Presort did not pay the ransom.

The attack involved malware known as “RYUK,” which frequently has been
used to attack banks and large health care organizations, officials
said.

At the time of the attack, Metro Presort was processing mailings for
21 health care organizations, including Salem Clinic and the Oregon
Heart Center, including marketing materials, statements, and invoices.

Officials say 20,928 Salem Clinic, P.C. customers' information may
have been compromised; another 3,172 Oregon Heart Center, P.C.
customers were also affected.

Some of the customer data files contained only names and addresses,
while others also contained health plan identification numbers and
treatment information.

No Social Security numbers, other government identification numbers or
financial account information, such as credit card or bank accounts,
were stored on Metro Presort’s systems.

Though there was no evidence that someone actually accessed any
customer data files, company leaders said they could not rule out the
possibility that the attacker could have had the ability to access
files, officials said.

And on Dec. 31, 2020, OCR issued a ruling finding no violations of
HIPAA and closed its investigation.

“It is distressing that there are people in the world deliberately
wrecking businesses and trying to profit from others’ losses, while
also potentially causing problems for individuals," said Brad Barton,
President of Metro Presort. "We take our responsibility to protect and
take care of our clients’ information very seriously."

Affected individuals should regularly monitor their personal accounts
and information for any unusual activity.

If affected individuals notice any unusual activity, then they should
immediately notify their financial institutions and healthcare
providers. Individuals who receive notices in the mail from their
health care providers or plans may call (833) 971-3304 from 9 a.m. to
5 p.m. Pacific Time Monday-Friday, if they have any questions.

Metro Presort processes customer printing and mailing work orders by
receiving electronic data files containing addressee information and
letter content known as “customer data files” through a secure online
portal. It temporarily stores and processes these files on company
servers.