Michigan-based Brookside ENT and Hearing Center has announced its closure following a ransomware attack on their facility resulted in all of their patient files being permanently destroyed.
The practice-run by just two doctors-lost access to patient records, appointment schedules, payment information, and other sensitive after a hacker gained access to their network and infected it with ransomware.
As with most ransomware attacks, the hacker stated that they would provide the key to unlock the files if the facility paid a ransom. In this instance, the hacker demanded a ransom of $6,500.
Although the hacker claimed that they would unlock the files once the ransom was paid, the owners of the practice, William Scalf, MD and John Bizon, MD, had no guarantee that this claim would be honoured. It was possible that the files wouldn’t be unlocked at all, or that the hacker would merely demand another payment. Therefore, Drs Bizon and Scalf decided not to pay the ransom.
The hacker promptly deleted all files on the system once they learned that the doctors refused to pay the ransom. Information recovery was impossible.
In response to the attack, Drs Bizon and Scalf decided to close the practice and retire early instead of rebuilding their practice again.
The media tends to focus most of its attention to the risk that cybercriminals pose to large organisations, due to the sheer quantity of patients that could be affected by these incidents. However, the attack on Brookside ENT and Hearing Center shows that these incidents can be devastating for smaller organisations. In this instance, it was preferable for the organisations to close permanently instead of paying a ransom to the criminals.
Brookside ENT and Hearing Center alerted the FBI to the security incident. This incident appears to be an isolated attack. Investigators determined that hackers did not view or access patient data appeared before locking or deleting the files, so the patients are at minimal risk of fraud.
Patients who had not obtained copies of their medical records prior to the ransomware attack have now lost access to all information stored by the facility.
This may prove to be a significant inconvenience for some patients. One patient at the practice told WWMT that her daughter had had surgery and she was attempting to schedule a follow-up appointment when she discovered that her medical records had been lost. She must now visit another provider, but that provider will have no details about the surgical procedure.
The practice officially closes April 30, 2019, until which point, patients can contact staff at the practice who can provide referrals.
This incident highlights that it is vital that organisations have proper backup policies in place. Had Brookside ENT and Hearing Center had backups of their patient data, the consequences of the attack would not have been as drastic as they were. All backups must be tested to ensure they have not been corrupted and file recovery is possible.
A good best practice to adopt is the 3:2:1 approach. The organisation should create three backup copies, on two different types of media, and store one copy securely off-site on an air-gapped device (a device that is not networked or accessible over the internet). In the event of a ransomware attack, systems may be taken out of action and computers may need to have software reinstalled, but at least no data will be lost.