The protected health information of more than 55,000 patients has potentially been compromised in a recent ransomware attack on ABCD Pediatrics. Attackers gained access to ABCD Pediatrics’ servers and Dharma ransomware was installed, resulting in the encryption of some PHI.
Dharma ransomware is a variant of CrySiS ransomware. CrySiS ransomware was one of the most popular ransomware variants in 2016, although late last year ESET released a decryptor that allowed victims to recover their files free of charge.
Last month, a free decrytptor was developed for Dharma ransomware following the release of decryption keys online. However, the ransomware attack on ABCD Pediatrics occurred on February 6, almost a month before the decryptor was released.
ABCD pediatrics was able to recover from the attack without paying a ransom as its files were backed up and stored on a separate system. No protected health information was lost or destroyed as a result of the attack. All encrypted or corrupted data could be recovered. Interestingly, no ransom demand was received from the attackers.
Dharma ransomware is not known to exfiltrate data, although the investigation into the ransomware attack on ABCD Pediatrics could not rule out the possibility of data access and theft with a high degree of certainty.
Many ransomware attacks are random and occur as a result of employees clicking on links in spam emails or opening infected email attachments. However, that does not appear to be the case in the ransomware attack on ABCD Pediatrics.
The investigation of the incident suggested the attackers gained access to one or more servers prior to ransomware being installed. ABCD Pediatrics did not disclose how long the attackers had access to its system – the breach notice says access was gained to portions of its network for ‘a limited time’ – although during that time, it is possible that PHI was accessed and stolen. That said, no evidence of PHI access and data exfiltration was uncovered during the forensic investigation.
The IT company employed by ABCD Pediatrics discovered user accounts had been created prior to the attack and user logs indicated persons or computer programs had been used on the server prior to ransomware being installed.
Other ransomware attacks on healthcare providers have been reported this year, although this attack stands out due to the number of patients impacted. The breach report submitted to the HHS’ Office for Civil Rights indicates 55,447 patients were impacted, making this the eighth largest healthcare data breach of the year to date. The data potentially compromised was also extensive, including names, home addresses, telephone numbers, birth dates, demographic information, Social Security numbers, insurance billing information, procedural technology codes, medical records and laboratory test reports.
The investigation into the attack revealed how access was gained to the servers and additional protections have now been implemented to prevent future attacks from occurring. All affected patients have now been notified of the breach and have been offered credit monitoring and identity theft protection services for 12 months without charge.