Another California healthcare organization has become a victim of cybercrime.

The organizationMarin Healthcare Districtsays that on July 26 one of its key vendors, Marin Medical Practices Concepts Inc., experienced a ransomware infection.

Ransomware is a type of malware that severely restricts access to a computer, device or file until a ransom is paid by the user. This class of malware is a criminal moneymaking scheme that can be installed through deceptive links in an e-mail message, instant message or website and can lock a computer screen or encrypt files with a password, says Kaspersky Lab, a developer of anti-virus software and related applications. The criminals typically then demand money in exchange for releasing the password so the hacked organization can access its files.

Marin Medical Practices, a provider of medical billing and electronic health records services to Marin Healthcare District, realized it was the victim of a ransomware incident after one of its backup systems failed, causing the loss of information that was collected at nine medical care centers between July 11 and July 26. The information included vital signs, limited clinical history, documentation of physical examinations, and records of the communication between patients and their physician during a visit in that 15-day period, says Marin Healthcare. The incident impacted about 5,000 patients, the health system says.

In a letter to patients and others affected by the ransomware incident Marin Healthcare District CEO Lee Domanico wrote that a follow-up investigation revealed that this incident found no evidence that patient personal, financial, or health information was accessed, viewed, or transferred.

But Marin Healthcare and Marin Medical Practices did pay an undisclosed ransom to have the cyberthieves unlock the data files. Formerly known as Marin Hospital District, Marin Healthcare is a public entity that owns Marin General Hospital and nine medical care centers throughout Marin County in northern California.

Marin Healthcare isnt saying much about steps taken to prevent further ransomware attacks. In his letter Domanico notes that the health system did report the cybercrime to the FBI and the U.S. Department of Health and Human Servcies Office of Civil Rights, which oversees hospital data breach administration, and various California state agencies. The Marin Healthcare District will continue to work side by side with our vendors to ensure that all of our data is protected with todays most advanced technology to reinforce their security systems against the most aggressive threats, Domanico says.

Marin Healthcare says the health system has sent letters to patients impacted by the ransomware incident and established a toll-free phone number for patients. But Marin Healthcare did not release specifics of what support it was offering those patients impacted by the cybercrime, such as offering free crediting monitoring and identity recovery services.

Marin Healthcare is the second California health system to report a ransomware incident in the past week. In a statement posted on its web site Keck Hospitals CEO and chief operating officer for Keck Medicine of the University of Southern California Rodney Hanners reported that on Aug. 1 a ransomware attack occurred on servers at two hospitals, including Keck Medical Center, a 240-bed hospital, and USC Norris Comprehensive Cancer Center Hospital, a 60-bed facility.

Ransomware attacks and other forms of cybercrime are becoming a big security concern for healthcare organizations of all sizes, says Lee Barrett, executive director of the Electronic Healthcare Accreditation Commission. The bottom line is that organizations need to be proactive, vigilant, be willing to invest in a comprehensive security strategy with the appropriate rigor and tactics and third-party reviews of the infrastructure, Barrett says. Organizations need to fully understand the risks, costs, exposures and take the appropriate actions to mitigate those gaps and vulnerabilities to reduce the risk of a HIPAA breach, incident, cyber or ransomware attack.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, which aims to ensure the confidentiality of patient medical records.