New Jersey’s Hackensack Sleep and Pulmonary Center was hit by a ransomware attack in September that potentially breached the data of 16,476 patients.

Officials discovered the malware had encrypted its computer system on Sept. 25, when the ransomware locked down its EHR and the hacker demanded a ransom to unlock the files. 

[Also: The biggest healthcare breaches of 2017]

The sleep center did not pay the ransom. Instead, the medical center immediately contacted the New Jersey State Police Cyber Crimes Unit and hired a computer forensics team to help with the investigation and make recommendations on how to better protect its system. Further, officials said they’re implanting stronger security measures.

Affected patient records contained complete medical records including diagnoses and office notes, personal identifiers including credit card information and Social Security numbers, and insurance details.

Because Hackensack Sleep and Pulmonary Center’s staff had prepared for ransomware attacks, it was able to regain files from an unaffected, offline backup. Officials said they are confident the records are intact.

They are also encouraging affected patients to review account statements, health insurance records and benefits forms to ensure there’s no suspicious activity. While ransomware attacks don’t appear to breach data, data access is possible under HIPAA rules.

“We sincerely apologize and regret that this incident has occurred,” officials said in a statement. “Please know we are doing everything we can to continue to monitor this issue, to safeguard your personal and health information, and to protect against future incidents.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com