Grays Harbor Community Hospital (GHCH) and Harbor Medical Group (HMG) are providing to patients notice of a ransomware attack earlier this Summer that involved patient health information.

On June 15, 2019, GHCH and HMG discovered that databases containing electronic medical records were encrypted by a sophisticated software program (ransomware) designed to block access to a computer system until a sum of money is paid. Upon identifying the ransomware, GHCH and HMG launched an immediate investigation with the support of leading forensics and network consultants, and the investigation is ongoing. GHCH and HMG also notified the FBI of the incident. At no time was patient care compromised and throughout the incident GHCH and HMG continue to care for patients.

After taking the appropriate precautions to safeguard the network, GHCH and HMG used established backup procedures and have been able to recover much of the patient health care information; however, certain parts of the electronic medical record remain encrypted and inaccessible by GHCH and HMG. GHCH and HMG have no reasonable basis to believe that any personal information has been transmitted outside of GHCH’s or HMG’s databases.

The health information that was impacted by the ransomware may have included a patient’s full name, date of birth, social security number, phone number, home address, insurance, and medical record information, including diagnosis and treatment. GHCH and HMG have recovered much of the information that was encrypted but have been unable to recover fully all of the health information that was encrypted.

GHCH and HMG will continue to work diligently with security experts to recover the affected databases and re-establish access to the entire electronic medical record, however, this may not be possible.

Ransomware incidents of this nature are different from other data security incidents in that the data remains within the database. While GHCH and HMG do not believe that any of this personal information was transmitted outside of GHCH’s or HMG’s databases, out of an abundance of caution, GHCH and HMG are notifying patients via letter. GHCH and HMG have arranged for those affected to enroll in a credit monitoring service through Experian. This service is available to those affected at no cost.

GHCH and HMG will continue to take steps to mitigate this incident and to prevent this type of incident from happening again, including implementing more robust security and backup procedures. We also are providing training for staff members to ensure they understand how to avoid malware.

GHCH and HMG have established a dedicated call center for patients with questions at 1-833- 762-0219, Monday – Friday from 7:30 am – 5:00 pm Pacific Time.

GHCH and HMG take very seriously the responsibility to protect our patients’ personal information and deeply regrets any concern or inconvenience this incident may cause patients.