Cyber Incident Victim: Airway Oxygen

On April 18, 2017, Purity Cylinder/Airway Oxygen, a Michigan-based company, discovered ransomware had been installed on its computer network. The discovery prompted an immediate investigation to assess the nature and scope of the incident. While the company identified the presence of ransomware, their forensic analysis found no evidence that protected health information (PHI) had been accessed or acquired by unauthorized parties during the intrusion. Despite this lack of confirmed data exfiltration, Airway Oxygen determined that the potential risk to patient privacy warranted formal notification due to the possibility of exposure. The company proceeded to report the breach to the Vermont Attorney General’s Office earlier in June 2017, indicating that Vermont residents were among the affected population. This notification preceded a broader outreach effort to individuals whose information resided on the compromised systems.

The incident gained wider public visibility on June 22, 2017, when it appeared on the U.S. Department of Health and Human Services (HHS) breach reporting portal, disclosing that approximately 500,000 individuals were potentially impacted. Airway Oxygen initiated direct notifications to these patients, advising them of the ransomware event and the potential exposure of their PHI, though reiterating the absence of evidence confirming actual data access or theft. The company did not publicly specify the types of data stored on the affected systems or the operational disruptions caused by the ransomware. The breach notification emphasized precautionary measures rather than confirmed harm, reflecting the organization’s assessment that the primary risk stemmed from the presence of the malware itself rather than verified data misuse. No further details regarding the ransomware variant, attack vector, or remediation steps were disclosed in the available public reporting.