Cyber Incident Victim: Medical Oncology Hematology Consultants

The ransomware incident impacting Medical Oncology Hematology Consultants, PA (MOHC) began on June 17, 2017, though the Delaware-based medical practice did not detect the intrusion until July 7—a 20-day period during which attackers deployed ransomware within their systems. Upon discovery, MOHC immediately initiated an internal investigation to assess the scope and nature of the compromise. The investigation confirmed that ransomware had encrypted data on affected systems but found no evidence indicating unauthorized access to or acquisition of protected health information (PHI). This determination was critical in shaping both regulatory reporting obligations and patient communications. The practice formally reported the breach to the U.S. Department of Health and Human Services (HHS) as required under HIPAA regulations, disclosing that 19,203 patients were potentially impacted by the event.

MOHC prioritized transparency in its response, issuing individual breach notification letters to all affected patients following the completion of the forensic investigation. These notifications detailed the ransomware attack’s timeline, the absence of evidence suggesting PHI misuse, and the practice’s remediation efforts. While the specific ransomware variant and initial attack vector were not publicly disclosed, the practice emphasized its commitment to securing systems and preventing recurrence. The incident’s primary operational impact stemmed from the ransomware’s disruption of data availability, though MOHC successfully restored operations without paying a ransom. No patient fraud or identity theft incidents linked to the breach were reported following the event. The practice’s response—noted for its thoroughness in investigation, regulatory compliance, and patient communication—concluded with the HHS breach report submission and completion of patient notifications by August 31, 2017.