Sports Medicine Practice Hit by Two Hacking Attacks in 7 Days

A hacker has gained access to its systems and encrypted files with ransomware at a family and sports medicine practice based in Colorado.

Longs Peak Family Practice (LPFP) in Longmont CO, discovered suspicious activity taking place on its internal network on November 5, 2017 and took quick measures to safeguard its systems. However, before the measure were in place, the attacker ran ransomware code which encrypted files on some parts of its network.

LPFP was braced for such cyberattacks, and was able to recover the encrypted files and rebuild its systems from backups that had been previously created. However, five days after the initial intrusion was noticed, LPFP saw that a second attack had occurred, and its systems had been logged on to in a second attack. Ransomware was not employed in the second breach.

While the first incident was handled internally, when the second attack was noticed, LPFP called in a large computer forensics firm to assist with the review, conduct scans for malware and backdoors, and ensure that unauthorized access to its systems was no longer possible.

That investigation revealed that an unauthorized person had accessed certain parts of LPFP’s network during November 5, 9, and 10th,   2017. The forensic investigation took until December 5 to come to an end, but did not uncover any specific details to suggest the attacker had opened any files or stolen sensitive information.

However, they were not in a position to rule out data access and theft with 100% certainty, and while no evidence was seen to suggest the ransomware infection did anything other than blindly encrypt files, potentially the malware could have been used to download some computer files from the system.

Files saved on the compromised devices included the following patient data: Names, addresses, email addresses, driver’s license details, Social Security credentials, dates of birth, internal patient ID numbers, insurance providers, insurance payment codes and costs, dates of service, records of notes made by LPFP staff and other healthcare providers, medical conditions, medications, prescriptions, diagnoses, data from diagnostic reports, and lab test results.

It is possible that final statements for accounts that had been broadcast to a collection agency may have been obtained, but no financial information, invoices for medical services, or credit/debit card details were taken in the attacks.

LPFP had already adapted a wide of defenses to prevent the unauthorized accessing of patient data, but these attacks exposed vulnerabilities existed in its defenses.  Those vulnerabilities have now been remedied and changes have been made to how its network can be accessed. A new, stronger firewall has been purchased and applied, further training is being provided to workers on privacy and security, and the practice is looking into further tools and procedures that will help to enhance security.

Due to the sensitive nature of the details that was possibly accessed, LPFP is offering patients 12 months of complimentary identity theft repair and credit monitoring services through AllClear.

Author: Maria Perez