Decatur County General Hospital Malware Attack Exposes 24,000 Patient Records

It has been has that Decatur County General Hospital in Tennessee suffered a malware attack after a virus was uploaded to a server housing its electronic medical record network. It is thought that attacker could have gained access to the medical records of up to 24,000 people.

The malware software installation was found on November 27, 2017 by the hospital’s medical record system vendor, who maintains the server on which the system is held. An audit showed that revealed that the malware was a cryptocurrency miner.

Crytptocurrency mining is defined as using computer processors to verify cryptocurrency transactions and compile them on the public ledger containing details of all transactions since the currency was begun. The steps for verifying transactions requires computers to solve complex mathemathical problems.

Cryptocurrency mining can be completed by any person with a computer, and in return for solving those mathematical problems, the miner is rewarded with a minimal payment for verifying the transaction.

A sole computer can allow a person to earn a few dollars a day performing cryptocurrency mining. Large numbers of computers can lead to larger profits. A collective of cryptocurrency mining slave computers, such as those infected with cryptocurrency mining malware, can lead to huge earnings. Cryptocurrency malware campaigns and infections have soared in recent times.

Since cryptocurrency mining uses up a massive amount of processing power, computers infected with the malware may slow noticeably, although it may not always be apparent that infection has be installed. In the attack at Decatur County General Hospital, the malware infection was not discovered by its EMR vendor for more than two months. It appears that the malware was installed prior to September 22, 2017.

Cryptocurrency mining malware, in most cases, only has one function. The malware is not normally seen with data theft. However, in this scenario, the hacker appears to have gained access to the server so as to install the malware. Access to patient data was therefore acheiveable.

Decatur County General Hospital carried out a thorough investigation into the server breach and malware infection, and while nothing was found to suggest data access or data theft was uncovered, it was not possible to completely verify that data access had not occurred. Therefore, measures were taken to send out alerts to patients that protected health information had potentially been compromised.

Due to the highly sensitive nature of data held on the server – names, addresses, birth dates, Social Security numbers, prognoses, treatment accounts, and insurance billing information – all individuals impacted by the incident have been, as a precautionary step, offered credit monitoring services for one year through True Identity without charge.

Nothing to suggest of misuse of patient information has been reported to date and the hospital believes the sole aim of the attacker was to place the malware, not to steal patient information. However, patients have been warned of the importance of exercising caution and keep a close on their accounts, credit, and EoB statements for any sign of fraudulent operations and to be wary of any correspondence received via the telephone, mail, or email about the attack.

Author: Maria Perez