A subcontractor of Highmark Blue Cross Blue Shield of Delaware has experienced a ransomware infection and cyberattack that has potentially compromised the personal information of approximately 19,000 beneficiaries of employer-paid health plans.
The ransomware attack occurred at Highmark BCBS subcontractor Summit Reinsurance Services on August 5, 2016, although affected individuals have only just been notified of the incident. An investigation into the ransomware attack has now been launched by Highmark BlueCross BlueShield of Delaware which has revealed that 16 current and former self-insured customers have been affected.
While it was the ransomware infection that tipped off SummitRe that its systems had been compromised, an investigation into the cyberattack revealed that access to its systems had first been gained almost 5 months earlier on March 12, 2016. It would appear that the attacker installed ransomware on SummitRe’s systems in an attempt to extort money after access to its systems was no longer required. While many ransomware attacks are random, hackers have been known to install ransomware on compromised systems when they have no further use for access.
The investigation into the breach is ongoing, although SummitRe has determined that patients’ names, medical record numbers, Social Security numbers, health insurance information, medical diagnoses, and clinical information related to insurance claims have all potentially been accessed. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services to protect them from financial harm. However, no direct evidence of misuse of health plan members’ data has been uncovered by SummitRe.
Ransomware attacks on healthcare organizations increased considerably in 2016. Data security experts have predicted that 2017 will see even greater numbers of attacks performed. While healthcare organizations are taking action to protect their data and systems for attacks, ransomware gangs are developing new ransomware and more sophisticated variants capable of bypassing even complex security defences.
Hackers are also stealing wiping databases and demanding ransom payments for the safe return of data. These attacks do not involve any malicious software, instead vulnerabilities in systems are exploited to gain access to data. As we have seen in the recent attacks on MongoDB databases, copies of data are not always taken. Attackers simply delete databases and demand payment to return data, even though no data will ever be returned.
To prevent data loss and extortion attempts, it is essential to ensure that frequent backups of data are made and those data backups are securely stored in locations where hackers cannot gain access.