East Central Kansas Area Agency on Aging (ECKAAA), an Ottawa-based body, has reported that a ransomware attack has resulted in the encryption of files on one of the agency’s servers, and files were exposed that contained the protected health information (PHI) of approximately 8,750 patients.
The cyberattack happened on September 5, 2017 and was immediately identified by ECKAAA, which took swift moves to limit the spread of the infection. Due to this, only parts of the server had files encrypted. Those files were found to contain names, telephone numbers, addresses, birthdates, Medicaid numbers, and Social Security details.
ECKAAA contracted a cybersecurity firm to help with the investigation and determine the true extent and nature of the attack. The investigation showed the ransomware variant used was a variant of Crysis/Dharma – a ransomware variant known to encrypt files stored locally, on mapped network drives, and unmapped network shares. Crysis/Dharma ransomware also deletes shadow volume copies to obstruct recovery.
While the investigation showed no proof of data being downloaded, the possibility of data access and data theft could not be eliminated. ECKAAA reports that while not all files on the server were encrypted, the attackers possibly had access to all files kept on the server.
Prior to the ransomware attack, ECKAAA had put in place security measures to protect against malware attacks and to ensure files could be rescued in the event of disaster. Consequently, it was possible to rescue all the encrypted files without having to pay the ransom.
As the protections in place were not enough to block the ransomware attack on this occasion, ECKAAA has put in place a number of new measures to enhance security. Those measures include using CrowdStrike advanced malware agents and a subscription to Cisco Umbrella Insights to strengthen security monitoring.
Additional training has also been provided to the workforce to improve awareness of the threat from ransomware, a full password reset has been carried out, and staff have been reminded about the importance of choosing strong passwords. A review of policies and procedures is also taking place and they will be updated accordingly to reduce the risk of future attacks happening.
ECKAAA completed a fully HIPAA-compliant breach procedure. The incident was submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR), a substitute breach notice was published on the ECKAAA website, and media reports were sent to prominent newspapers serving each of the five counties in which the agency provides support. All clients have now been alerted of the potential violation of their PHI by mail.