Health care institutions have been the victim of ransomware infiltration on a number of occasions this year. Mature ransomware strains Locky and CryptXXX were responsible for infecting the data of several organizations since the outset of 2016. The attack we are referring to in this article was likely carried out by another virus.
On May 16, Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR) discovered a ransomware on the computers of its Glenwood Springs medical office. The company was quick to retaliate. The IP department shut down all servers to prevent the infection from spreading. A cybersecurity firm was appointed to conduct a forensic analysis of the network.
AAIR was faced with a severe security risk. The infected computers were storage devices for patients’ electronic protected health information (ePHI). The ePHI included patients’ names, medical test results and social security numbers. A total of 6,851 health records were stored on the infected machines.
The quick reaction prevented the ransomware from completing its install. It was reported that the virus was caught “in its early stages”. Due to its install being halted, the cybersecurity firm was not able to determine its identity.
AAIR attorney Kari Hershey made a statement on the matter, saying “they weren’t able to track exactly what the hackers did, but what they did find was a draft of the ransom letter on the system.” According to the forensic analysis, the virus may be an uncovered program or a recently developed ransomware.
Hershey pointed out that there was no evidence to suggest the cyber criminals had accessed or copied ePHI. If there was any data exfiltration, the researchers should have been able to unearth the process at this stage.
The method for installing the ransomware was not identified, either. The researchers only reported that the virus was able to “pass through a password protected firewall.” The most probable cause for the infection is a drive-by installation. The assumption is that an employee had accessed a compromised domain or followed a redirect link. A spam e-mail is another possible source.
The cybersecurity firm was able to uncover more information on the ransomware’s network. They discovered that the virus was communicating with a command and control center, located in Russia. Whether or not the cyber criminals are of Russian origin has not been confirmed. The cybersecurity firm is still doing research on the AAIR systems.
Hershey took the time to address the security issue for the involved parties. AAIR offered its patients free ID Experts’ identity theft protection services for a year. “Just out of an abundance of caution, we do want people to sign up for an identity theft protection program. That way if they do have a problem they can get help,” Hershey said.
AAIR decided to submit a breach report to the Department of Health and Human Services’ Office for Civil Rights (OCR). The institution made this decision because it was not certain whether the patients’ personal data was subjected to breach under the Health Insurance Portability and Accountability Act (HIPAA).