Massachusetts-based supplier of medical billing services Doctors’ Management Service Inc. noticed that malicious software had been downloaded to its network which stopped files from being accessed on December 24, 2018
A review into the security incident was initiated which found GandCrab ransomware had been deployed. Files were rescued from backups and no ransom was paid.
The review also found that the individual responsible for installing the ransomware had first obtained access to its systems on April 1, 2017, 7 months prior to the ransomware being deployed. Access to the network was obtained via Remote Desktop Protocol (RDP) on one of its workstations.
Sections of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which listed names, addresses, dates of birth, Social Security numbers, insurance data, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic data.
The attack seemed to have been scheduled to ensure the attack would not be immediately noticed. The deployment of ransomware could have been an attempt to steal money after the hackers’ other objectives had been obtained.
Doctors’ Management Service outlined in its breach notification letter that no unauthorized server access was seen until the ransomware was deployed on December 24, and the forensic investigation did not find any evidence of data access nor exfiltration of patient data, although the forensic investigators could eliminate out the possibility of data theft.
Third-party computer security consultants have been hired and have made recommendations on how network security can be enhanced. The company will implement additional controls to prevent further security breaches and staff will continue to be trained on security threats.
Affected clients and patients have been alerted about the incident and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The breach summary has yet to be published on the OCR breach portal, so it is unclear how many individuals have been affected.