Airway Oxygen, a Michigan-based healthcare supplier, has announced that it was hit by a ransomware attack in April. About 550,000 people were directly affected.
The company said: “An investigation revealed that the intruders had access to patient health information for approximately 550,000 current and past customers of Airway Oxygen. Additionally, the personal information of approximately 1,160 current and former employees of Airway and its sister company were also compromised."
Airway Oxygen is a private company that makes medical equipment such as lift chairs, wheelchairs, CPAP supplies, oxygen machines and mobility scooters.
The company has been informing their clients that their personal data has been breached in a letter dated June 2017. In the letter, the company explains “On the evening of 18 April 2017, we learned that unidentified criminals have gained access to our technical infrastructure and installed ransomware in order to deny Airway Oxygen Inc. access to its own data.” According to the company, home addresses, telephone numbers, health insurance policy numbers and diagnoses may have been leaked. Social Security numbers, credit card numbers, debit card numbers, and bank account numbers were not affected.
The firm didn't specify which particular ransomware malware was used in the attack, but the incident predates WannaCry. It's also unclear which monetary amount the attacker demanded, and whether or not Airway Oxygen paid the ransom.
The company added: “We have reported the incident to the FBI and will cooperate with their efforts. We have hired a cybersecurity firm to assist in conducting an investigation to assess the cause and impact of the breach. In addition, we are identifying further actions to reduce the risk of this situation recurring."
Healthcare information is one of the most sensitive types of data that can be compromised in a cyber-attack. The most important set of federal American regulations which govern how medical data is handled is the Health Insurance Portability and Accountability Act.