When Peachtree Neurological Clinic was attacked with ransomware all was not lost as data were recoverable from backups; however, the ransomware investigation revealed something far worse. Its systems had been breached 15 months previously.
The ransomware incident resulted in the encryption of the provider’s electronic medical records. A ransom demand was issued. Payment was required in exchange for the keys to unlock the encryption. Since Peachtree Neurological Clinic had a backup up its data, it was not necessary to pay the ransom. The encrypted files could be restored.
A forensic investigation was conducted to determine whether all traces of the ransomware had been removed. Peachtree Neurological Clinic conducted various scans of its system to determine whether the ransomware had been totally eradicated and whether there were any other nasties on its systems. Peachtree Neurological Clinic also investigated to determine whether the attack involved the exfiltration of any data.
While no evidence of data exfiltration was uncovered and the ransomware was determined to have been removed, Peachtree Neurological Clinic found out its systems had been accessed 15 months previously in February 2016. Access remained possible until May 2017 when the intrusion was detected and access was blocked.
The malicious actors behind the ransomware attack could potentially have viewed information contained in the EMR system, although no evidence of data access was uncovered. The hack would also have allowed unauthorized individuals to gain access to the same information.
The types of information that could potentially have been viewed included names, telephone numbers, home addresses, birthdates, Social Security numbers, driver’s license numbers, prescription information, procedure information, treatment information and health insurance details.
The two attacks have been reported to law enforcement and steps are being taken to improve security to prevent future cyberattacks. Peachtree Neurological Clinic says its EMR system has now been secured and external access is no longer possible.
Patients affected by the incidents have been offered identity theft protection services through MyIDCare for 12 months without charge as a precaution, and all have now been notified of the security breaches by mail.