Wood Ranch Medical family practice in Simi Valley, CA., closed permanently due to a ransomware attack. Ransomware encrypted the patient medical records and backup files in August 2019. The attack left the computer system damaged beyond repair. The practice closed on December 17th, 2019, after helping patients find new medical services providers.

While there is no evidence that attackers stole medical or private personal data, the practice sent letters to patients advising them of the security breach. Patients were able to visit the clinic, get medication refills and receive help in finding a new provider before the December shut down. The practice also arranged for a toll-free call center to answer any questions.

In addition to patients finding new doctors, employees such as the office manager and the practice’s family nurse practitioners are out of work. The practice told patients they should check their credit reports and possibly register a fraud alert with the credit reporting agencies in case attackers had stolen their private information.

Medical practices must take reasonable precautions against security breaches of their computer systems. The possibility that patient information was compromised leaves the practice open to potential HIPAA sanctions and could result in other legal action. While there is no civil cause of action under HIPAA, some jurisdictions do allow civil lawsuits. For example, see this case from the Connecticut Supreme Court: https://www.totalhipaa.com/new-ruling-hipaa/.