Houston-based Gastroenterology Consultants allegedly waited months before informing the more than 161,000 patients that their data was exposed in ransomware attack, KHOU 11 reported Sept. 9.
The provider notified patients Aug. 6 of a "data security incident" that occured Jan. 10 and had potentially exposed 162,163 patients and employees.
Texas state law requires businesses to notify the attorney general’s office within 60 days of any data breach affecting more than 250 people. A KHOU 11 investigation found that Gastroenterology Consultants didn’t notify the attorney general until Aug. 9, seven months after the data breach.
The medical group said March 19 that it had resolved the cyber issues and remediated and restored its systems. After undergoing an extensive data-mining process to determine specifically which patients or employees had their information exposed, the group felt it was more cost effective to notify all patients and employees instead.
The letter to the patients also indicated that the company paid the hackers ransom and then trusted the criminals to keep their word about deleting the data.
"You can pay them off, but how do you know? How do you know that they really got rid of your information?" patient Amber Wietlispach told KHOU 11. "How do you trust somebody that you had to pay money to?"