Ferguson Medical Group in Sikeston hit by cyberattack

Thousands of patient files of the Ferguson Medical Group in Sikeston, Missouri, may have been compromised in a cyberattack in September, according to Saint Francis Healthcare System, which acquired the Sikeston medical practice earlier this year.

According to a statement issued Wednesday by Saint Francis, the attack took place Sept. 20 and was discovered the following day.

“As a result of that attack, all of the medical records for services provided at FMG (Ferguson Medical Group) prior to Jan. 1, 2019, were made inaccessible to Saint Francis,” the statement read. The “attacker,” who has not been identified, demanded Saint Francis pay a ransom to regain access to the records. The ransom demand amount was not established.

According to the statement, “Saint Francis took immediate steps to secure the network and worked with federal law enforcement” to resolve the situation.

Rather than pay the ransom, Saint Francis attempted to restore access to as many files as possible through a backup system. However, records for services provided at Ferguson Medical Group between Sept. 20, 2018, and Dec. 31, 2018, as well as any documentation that had been scanned into the medical group’s computer system, regardless of date, could not be restored.

“There were many reasons Saint Francis decided not to pay the ransom,” Christy Russell, communications coordinator for Saint Francis Healthcare System, told the Missourian. “Most notably, we did not believe that paying the ransom would result in regaining access to the information. This was supported by the FBI’s experience with this type of attack.”

Asked why Saint Francis waited almost two months to publicly announce the cyberattack, Russell said it took time to investigate the incident, ensuring the attack was limited to the Ferguson Medical Group computer system and confirming the threat had been eradicated.

“All of these activities took time to complete,” she said. “Saint Francis also had to take the time to identify the individuals whose information may have been impacted and to prepare communications to those individuals.”

There were approximately 107,000 Ferguson Medical Group patient records in the practice’s computer system that may have been impacted by the attack.

“Of those, we were able to recover the vast majority,” Russell said.

Saint Francis Healthcare System acquired Ferguson Medical Group, along with its computer system and medical records, in January.

“When Saint Francis began operations at the Ferguson Medical Group locations in January of 2019, all new patient visits were recorded in the Saint Francis electronic medical records system,” Russell explained.

In the wake of the cyberattack, Saint Francis did a complete review of its electronic records system, looking for any areas of weakness that would make it vulnerable to future attacks.

“Upon learning of the incident, we immediately took steps to secure the Ferguson Medical Group network so this type of attack could not occur again,” said Lori Sturgill, Saint Francis Healthcare System’s chief information officer. She said the core Saint Francis network was not impacted by the Ferguson Medical Group attack.

“We have reviewed security practices and applied improvements to network security and systems, backup processes, endpoint protection, email security and end user training,” Sturgill said. “Ongoing efforts continue as we introduce new tools into our environment to improve the Saint Francis cybersecurity posture.”

According to the health care system’s statement, “Saint Francis does not believe that this incident resulted in the disclosure of any patient information to any unauthorized third parties. While there is no indication that patient information has been or will be used inappropriately, Saint Francis is notifying all impacted individuals who can be identified and located and is advising them of precautionary steps they can take to protect themselves, including offering complimentary credit monitoring service.”

In its statement, Saint Francis said it “regrets that this incident occurred and is committed to providing quality care and safeguarding personal information.”

A call center has been set up to answer any questions patients may have about the incident. The call center’s toll-free number is (866) 611-1186 and is available between 8 a.m. and 8 p.m. Mondays through Fridays.

Do you crave business news? Check out B Magazine, and the B Magazine email newsletter. Check it out at www.semissourian.com/newsletters to find out more.