Marin electronic medical record system hacked, ransom paid

Marin Medical Practices Concepts, a Novato company that provides medical billing and electronic medical records services to many Marin physicians, had its computer system hacked and paid a ransom to regain access to its own data.

There is “no evidence” that any patient data were compromised, according to a company official.

As a result of the security breach, many Marin doctors have been unable to access patients’ electronic medical records for more than a week.

Marin County Public Health Officer Dr. Matt Willis said Marin Medical Practice Concepts operates the county’s public health clinics’ electronic health record system.

Lynn Mitchell, CEO of Marin Medical Practice Concepts, declined to be interviewed Thursday but provided limited responses to some questions by email.

“On the evening of Tuesday, July 26, our information systems fell victim to a malware attack,” Mitchell said. “Ransom was paid. For security reasons we will not be releasing the amount or denomination paid.”

She declined to say whether she had reported the attack to law enforcement authorities.

There have been a slew of similar hacks of health care organization data systems this year.

In February, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 in the hard-to-trace digital currency Bitcoin in order to regain access to its data. In that case, the FBI handled the investigation, according to the Los Angeles Times.

Then in March, four more organizations fell victim: MedStar Health, which operates 10 hospitals throughout the District of Columbia and Maryland; Chino Valley Medical Center in Chino; Desert Valley Hospital in Victorville and Methodist Hospital in Louisville, Kentucky.

The hacks feature the use of “ransomware,” a type of computer virus that encrypts data on infected computers. The attackers essentially hold the data hostage until the owners of the information pay a ransom, typically in a digital currency.

Marin Medical Practice Concepts supplies electronic medical records services to Prima Medical Group’s 48 Marin physicians, among others.

In a statement, Dr. Robert Newbury, CEO of the Prima Medical Foundation, said, “While the electronic health record has not been fully operational, offices have remained open and able to provide patient care.”

Mitchell said, “Based on the forensic analysis completed by an external security firm that was engaged at the outset of the incident, there is no evidence that any patient data was accessed, viewed, transferred, or otherwise compromised. MMPC has secured its systems and access points and enacted a remediation plan to ensure an attack such as this does not recur.”

Mitchell added, “All impacted health care systems have been restored or are in the process of being fully restored and brought online.”

Jennifer Hitchcock of Greenbrae said that on Thursday when she called the office of Dr. Sarah Lowenthal, a Prima Medical Group doctor based in Novato, she was told they still lacked access to their patient data.

Hitchcock said when she first called Lowenthal’s office last Friday to confirm a Monday appointment for a sick relative, she was told “they couldn’t get into any of their medical records, and they were having to not see patients.”

Willis said despite the lack of access to clinical records at the county’s public health clinics, “There was no interruption in clinical services and this has not affected the delivery and quality of patient care.”

Prima Medical Group doctors work closely with Marin General Hospital, but a spokeswoman for the hospital, Jamie Maites, said it has been unaffected by the malware attack.

In September 2014, phone communications at Marin General Hospital were disrupted by scammers posing as bill collectors who bombarded the hospital with calls and demanded credit card numbers. The barrage shut down phone communications to the hospital’s labor and delivery department and emergency department for an entire day.