A recent New Jersey Spine Center ransomware attack resulted in electronic patient health records being locked with powerful encryption.
The attack involved the ransomware variant Cryptowall, which has been used in numerous attacks over the past few months. Unfortunately, while decryptors have been published for a number of ransomware variants, the latest version of Cryptowall has resisted security companies’ efforts to crack it. Infection with this ransomware variant leaves organizations with three choices. Accept data loss, recover the files from a backup, or pay the ransom demand to obtain the key to decrypt the data.
Since patient health data were locked, accepting data loss wasn’t an option. Unfortunately, recovering data from a backup was not possible as the most recent backup had also been encrypted. That left the spine center with no alternative but to give in to the attackers demands. Fortunately, the attackers supplied a viable key and access to the data was regained.
The New Jersey Spine Center ransomware attack occurred on July 27, 2016. Encrypted patient files contained names, personal information, Social Security numbers, details of procedures performed, clinical information, credit card numbers, and account information. Office notes, reports, and other important files were also locked. Access to the files was regained on August 1 after the ransom was paid.
According to a letter sent to patients on September 22, “The virus likely utilized a list of stolen passwords and ran an automated program that attempted access until a correct match was found.”
The FBI has been informed of the New Jersey Spine Center ransomware attack; however, as was pointed out in the letter to patients, the attackers most likely originated from outside the United States, making it almost impossible to identify the individuals responsible let alone bring them to justice.
All individuals affected by the incident have been offered identify theft protection services for 12 months without charge, although in attacks such as this, data are usually blindly encrypted rather than being stolen. The identity theft protection services were provided “out of an abundance of caution.”
Ransomware attacks are reportable to the Department of Health and Human Services’ Office for Civil Rights under HIPAA Rules. However, it is unclear exactly how many patients were impacted by the incident as the breach report has yet to be uploaded to the OCR breach portal.