FABEN Obstetrics and Gynecology has been hit by a ransomware hacking attack on a server that stored patients’ protected health information (PHI).
The ransomware was discovered on November 21, 2018 and lead to widespread file encryption. A review was initiated to determine the extent of the attack and whether any patients’ PHI was obtained or downloaded by the hackers.
A review of the files stored on the server showed that files containing patients’ PHI had been encrypted. FABEN found that the hackers had not viewed the files and that no data had been downloaded from the server.
The ransomware variant deployed in the attack was GandCrab. While fopen source decryptors have been made available for some GandCrab ransomware variants, they do not detect the latest versions of the ransomware. A ransom demand was sent by FABEN although the decision was taken not to meet the demands in order to get the key to decrypt the files.
The files that had been encrypted were produced between January 2007 and April 10, 2017, and incorporated clinical electronic medical records containing names, diagnosis data, treatment information, and other information regarding medical services provided to patients, including visit dates, labor and delivery details.
FABEN has said that it was only possible to restore files that had been created between 2007 and April 2014. There was an issue with recovering records from between September 11, 2014 and April 10, 2017. Those files have been lost forever.
They included details including names, blood sugar logs, blood pressure logs, medical records given to FABEN by patients in paper form during the above time period, and documentation about the Family and Medical Leave Act.
FABEN remarked, in substitute breach notice uploaded to the FABEN website, that “since the infected files were encrypted but not exfiltrated, there is no increased risk of identity theft, nor is there an increased risk that a third party may view your protected health information at this time as a result of the ransomware attack”. The group is contacting just the 6,092 patients whose information was unrecoverable to make them aware of the situation.
The ransomware cyber attack has been made known to law enforcement and the HHS’ Office for Civil Rights (OCR). The investigation into the attack is still live. FABEN is trying to determine exactly how the ransomware was placed on their systems, the source of the hack, and its ultimate range.
Third party consultants have been hired to review security and additional security procedures have already been put in place. FABEN is also using additional backup servers to stop any additional data loss, should another attack take place.