The Medical Review Institute of America (“MRoIA”) collects protected health information (PHI) as part of providing clinical peer review for covered entities that request it (if the patient consents to provide info for the review). MRIoA was hit with ransomware in November. And although they do not directly state that they paid ransom, it sounds like they did because their notification states that to the best of their ability and knowledge, they “retrieved and subsequently confirmed the deletion” of their information. Do they really have any genuine belief that the data were deleted, when every expert has been saying for the past few years that criminals do not delete data, even though they swear they will delete and their word is good? I wish entities would be a bit more realistic and tell people, “Look, we paid these b*stards a ton of money to get your data deleted, but the reality is that they probably didn’t delete it despite swearing they would, so take steps to protect yourself, and here’s how we will try to help you:…..” You can read the full notification/press release on the Vermont Attorney General’s website at  The incident has not (yet) appeared on HHS’s public hack tool. On MRIoA’s site, however, under Privacy and Security, it says: MRIoA takes the privacy and security of your information very seriously. MRIoA’s privacy and security program incorporates the HITRUST Common Security Framework (CSF) and associated standards/regulations referenced within, including HIPAA, HITECH, and state data and privacy laws. MRIoA maintains strict access controls including privileged access, file integrity monitoring, input validation and comprehensive audit logging, and ensures confidentiality of data by using AES-256 encryption for data at rest and TLS1.2 for data in transit. So if data at rest were accessed and exfiltrated, had they been encrypted as promised? There is no mention of any of the compromised PHI being encrypted in MRIoA’s notification. It’s possible that attackers could encrypt over already encrypted data, but then, I would think the notification would have been sure to state that the data had been encrypted by MRIoA. sent an email inquiry to MRIoA last night asking about that and a few other questions, but no reply has been received as of the time of this publication.