A sole-practitioner gynaecologist’s clinic in Ashland, Kentucky has become the most recent healthcare provider to be targeted by ransomware attackers.
The Department of Health and Human Services’ was recently informed of the attack by Ashland Women’s Health. The healthcare practice indicated that the attack may have allowed its patients’ private health information to be accessed by the attackers.
Ransomware attacks should be reported to OCR other than in circumstances where the healthcare provider concerned can demonstrate there was only a small likelihood that ePHI was compromised. In the subject case, that possibility could not be dismissed with any level of certainty. Conceivably, the ePHI of up to a maximum of 19,727 patients was jeopardised by the attack.
Although Locky, CryptXXX, Cerber, and Samsa have been used in numerous targeted attacks on healthcare centres, the attack on Ashland Women’s Health was carried out using a less well known ransomware variant named HakunaMatata. HakunaMatata, which is a variant of NMoreira or AiraCrop ransomware, uses RSA-2048 and AES-256 encryption to lock its victims’ files. It is similar to the better known Spora ransomware in a number of respects.
It remains unclear just how much protected health information was encrypted, however the practice released a statement which confirmed that names and addresses were encrypted together with other PHI and that EHRs were encrypted. The infection meant that the EHR was inaccessible for two days while the ransomware attack was mitigated, which, as a consequence, had repercussions on patient care.
Appointments with patients were maintained, however the practice was obliged to record information on charts until its systems were repaired.
Ultimately, attempts by Ashland Women’s Health to remove the ransomware and recover the encrypted data were successful as backups of data had been made. No ransom was paid to the attackers. The attack was reported to the authorities, including the FBI, and an investigation is underway.
The recent attack on Ashland Women’s Health underlines the importance backing up of EHRs and other data on a regular basis. Had a viable backup of data not existed, the health centre would have been obliged to pay the ransom or alternatively risk data loss, the latter can potentially result in a significant fine from the HIPAA.
Other examples of recent ransomware attacks include an attack on ABCD Pediatrics, which effected more than 55 thousand patients, as well a significant attack on Urology Austin in which almost 280,000 patients were effected. The attack on Urology Austin is the largest healthcare ransomware attack of 2017 so far.