Cyber Incident Victim: Columbia Surgical Specialists of Spokane

On January 7, 2019, Columbia Surgical Specialists of Spokane experienced a ransomware attack impacting its network servers. The incident disrupted access to electronic protected health information (ePHI) stored on the practice’s systems. An information systems manager confirmed to Information Security Media Group that the organization engaged a security firm to unlock its systems and recover its data without paying a ransom. Recovery operations concluded within a few days of the initial attack. The breach affected approximately 400,000 patients, with compromised data including some patient records dating back more than 20 years. Columbia Surgical Specialists formally reported the incident to the U.S. Department of Health and Human Services (HHS) on February 18, 2019, classifying it as a network/IT server breach under HIPAA rules.

The practice acknowledged challenges in notifying affected individuals due to the age of some records, which included inactive or former patients potentially deceased or unreachable. No substitute notice or public breach notification appeared on the entity’s website despite media inquiries. DataBreaches.net documented unsuccessful attempts to obtain clarification via phone calls regarding data exfiltration risks or the rationale for retaining decades-old ePHI on internet-connected servers. Columbia Surgical Specialists did not publicly confirm whether the incident met HIPAA’s reportable breach criteria or disclose technical details about attacker methods. The compromised data remained under assessment for notification requirements at the time of reporting, with no further operational disruptions disclosed beyond the initial containment.