NRC Health was hit with a ransomware attack Feb. 11 and it still working to restore its systems and services.
The company, which works with 75% of the 200 largest U.S. hospital chains, administers patient survey tools to hospitals.
The cyberattack was first reported by CNBC's Chrissy Farr on Thursday.
NRC Health works with 9,000 healthcare organizations, including Adventist Health, Jefferson Health, Cedars Sinai, Phoenix Children's Hospital, Ochsner, and Providence Health, according to the company's website. NRC Health collects data from more than 25 million healthcare consumers a year across the U.S. and Canada.
In a statement provided to FierceHealthcare, Paul Cooper, Chief Information Officer at NRC Health, said on Feb. 11 the company experienced a ransomware attack on certain computer systems and immediately shut down its "entire environment," including client-facing reporting portals, to contain the issue.
"We also immediately launched an investigation with the assistance of a leading forensic investigation firm to determine the nature and scope of the incident and notified the FBI," Cooper said.
Since last week’s attack, NRC Health has made "significant progress" in restoration to its systems and services to its customers.
The company anticipates full restoration in the coming days, according to Cooper.
Cooper said in his statement that there is no evidence, to date, of unauthorized access to or acquisition of any data from NRC Health's systems, including protected health information or other confidential information.
The company started notifying its hospital customers with an email alerting them to the attack, according to CNBC.
Despite the company's assurances, some hospitals notified of the cyberattack have raised concerns that private patient data was accessed, according to sources who spoke with CNBC's Farr.
One health system CEO, who requested anonymity, said that they were concerned about hackers having access to confidential information about their hospital including its market share, Farr reported.
David Holtzman, executive advisor to cybersecurity firm CynergisTek said federal HIPAA Rules and many state laws hold health care organizations responsible for assessing and carrying out notifications to consumers when one of their vendors suffers a cybersecurity incident or ransomware event that compromises their unencrypted electronic protected health information (e-PHI).
"HHS' Office for Civil Rights has issued guidance that when an intruder has gained access to an information system in which e-PHI is stored and has compromised the availability or integrity of the data, it is presumed to be a reportable breach," Holtzman said.
Measures from patient satisfaction surveys are not only used for patient loyalty, but the majority of senior health care executives have compensation tied to patient satisfaction scores. Hospital reimbursement is also being directly affected by inpatient satisfaction ratings as a part of the Centers for Medicare and Medicaid Services (CMS) value-based purchasing program and private payer initiatives, according to the American Medical Association Journal of Ethics.
"With NRC's systems shut down, one chief information officer at a hospital said that it’s been a 'major source of irritation internally,' because the systems are used to determine how much its physicians are getting paid," Farr reported. The executive requested anonymity because they were not authorized to speak about the attack
If private patient information was accessed, hospitals will need to notify their patients.
"Our resources are singularly dedicated to regaining full operability and investigating this matter to completion," Cooper said. "NRC Health takes our customers' information and security very seriously, and we have and will continue to share additional updates on progress with customers on a daily basis until the issue is completely resolved.”
A recent report from Protenus found that over 41 million patient records were breached in 2019, almost triple what the healthcare industry experienced in 2018. Incidents involving business associates impacted 24 million patient records.
One incident alone, a massive security breach at third-party billing collections firm American Medical Collection Agency (AMCA), exposed the sensitive data of 21 million patients.