The private health information relating to more than 55,000 patients may have been compromised in during a ransomware attack against ABCD Pediatrics on the 6th of February 2017. Attackers managed to access ABCD Pediatrics’ servers following which Dharma ransomware was installed and consequently some PHI was encrypted.
Dharma ransomware has been identified by experts as a variant of CrySiS ransomware. CrySiS ransomware proved to be one of the most used ransomware variants of 2016, however towards the end of the year ESET released a decryptor that permitted victims to recover their files for free.
In March 2017, a free decrytptor was developed for Dharma ransomware after the release of a number of decryption keys on the internet. Unfortunately, the ransomware attack on ABCD Pediatrics occurred almost a month prior to the release of the decryptor.
ABCD pediatrics managed to recover from the attack and avoided making a ransom payment as its files had been adequately backed up and stored on a separate and secure system. Thankfully, no patients’ protected health information was lost or destroyed as a consequence of the attack. Ultimately, all of the encrypted or corrupted data was recovered. Somewhat unusually, a ransom demand from the attackers was not in fact received at any point.
Dharma ransomware has not previously been known to exfiltrate data, however the enquiry into the attack was unable totally rule out the possibility of data access and theft.
A large number ransomware attacks are carried out at random rather than the deliberate targetting of the victim. Often they occur as a consequence of unsuspecting employees clicking on links in unverified emails or opening malicious email attachments. That does not appear to have been what happened in the ABCD Pediatrics ransomware attack however.
According to the findings of the investigation of the incident, it appears that the attackers managed to access one or more servers before ransomware was installed. ABCD Pediatrics have not revealed how long the attackers had access to its system, only that access was gained to certain parts of its network for ‘a limited time.’ Nonetheless, during that time, it is indeed possible that PHI may have been accessed and stolen. That said, the forensic investigation found no evidence of PHI access or data exfiltration.
The IT company hired by ABCD Pediatrics to investigate the attack discovered that user accounts had been opened before the attack and noted the user logs indicated that a person, persons or computer programs were used on the server prior to the installation of the ransomware.
This is not the only ransomware attacks on healthcare providers to have been reported in 2017, however the attack on ABCD Pediatrics stands out because of the number of patients who were affected. The HHS’ Office for Civil Rights received a breach report indicating that some 55,447 patients were impacted by the attack, meaning that it is the 8th biggest healthcare data breach of 2017 so far. Furthermore, the data put at risk was extensive, including Social Security numbers, full names, dates of birth, postal addresses, personal telephone numbers, demographic information, insurance account information, procedural technology codes, laboratory test reports and medical records.
The investigation revealed how attackers gained access to the servers and new protections have now been put in place to avoid future attacks. The patients impacted by the breach have now been informed and have been offered both credit monitoring plus identity theft protection services for the next year free of charge.
