Small Hospital Target of Extortion SchemeE-mailer Threatens to Disclose Patient Info Unless Ransom Paid
A small county hospital in Illinois was the recent target of an extortion scheme, in which an anonymous e-mailer threatened to make public personal information about more than 12,600 patients unless a ransom was paid by the hospital.
In a Dec. 15 statement, Clay County Hospital, an 18-bed facility in Flora, Ill., says that on Nov. 2, it received an anonymous e-mail that contained information about some of its clinic patients. "The e-mail sender threatened to release this information to the public if they did not receive a substantial payment from the hospital," the statement says. A Clay County Hospital spokeswoman tells Information Security Media Group there were 12,621 patients affected by the incident, all in Illinois.
The hospital says it immediately notified law enforcement and quickly launched a forensic investigation to determine the source and scope of the incident. All affected patients were notified by Dec. 15 and were offered free credit monitoring service from ID Experts.
An investigation has determined that the patient data compromised is limited to name, address, Social Security number and date of birth, and that no medical information was accessed or disclosed, the hospital says.
"Extensive reviews from outside forensic experts concluded that Clay County Hospital servers have not been hacked and remain secure due to the rigorous security program that meets the standards set by HIPAA," the hospital says. That implies that the extortion effort may have been the work of an insider.
To help prevent other breaches of patient information, Clay County Hospital is implementing extra internal security measures that include additional logging systems and auditing features to track and control data access, the hospital says in the statement.
A notice on the hospital's website says the FBI as well as state and local law enforcement agencies are involved in the investigation. To date, there is no evidence that there has been any misuse use of the information exposed in this incident. Additionally, there is no evidence to suggest that the information has been released to the public, the notice says.
The Clay County Hospital spokeswoman declined to provide further comment about the incident to ISMG.
Kidnapping Data: A Trend?
While the Clay County Hospital incident is unusual, in that it apparently did not involve the use of ransomware by hackers, some security and privacy experts predict that such "data kidnapping" incidents will likely become more common.
"The data was likely collected using the approved credentials of an insider," says Andrew Hicks, healthcare practice director at security consulting firm Coalfire. "I definitely think these types of attacks, as well as the more traditional "hacking" attacks, will be on the rise in the healthcare industry. The public is becoming increasingly aware of the fact that patient information ... is valued well above credit card and Social Security numbers," he says, noting that the value of stolen healthcare data today is estimated at $60 to $70 per record.
"For this reason and because healthcare information has been relatively left alone, data kidnappers and hackers will begin moving their attention from credit card numbers to patient information," he says.
Also, many healthcare organizations still remain less secure than those in other sectors, Hicks argues. "These organizations ... aren't learning their lessons from the plethora of data security breaches affecting major retailers, such as Target, Neiman Marcus, Sony, and on and on," he says.
While Clay County Hospital portrayed its security as "HIPAA compliant," Hicks notes that "compliance does not equal security." He adds: "The HIPAA Security Rule was designed to be scalable across all organizations, regardless of size, complexity and implemented technologies. For this reason, and the fact that the legislation is 18 years old, it is not prescriptive enough to properly safeguard patient information."
Healthcare entities can take steps to avoid becoming victims of data kidnapping incidents involving insiders, Hicks says.
That includes limiting data access to the minimum necessary. "This sounds simple, but access must be limited to the absolute minimum amount necessary for an employee to perform their job. This should be implemented through policy and technical controls," he says.
Hicks says healthcare organizations also should use Security Information and Event Management, or SIEM, systems and data loss protection tools to help detect and prevent unauthorized access.
Defending Against Ransomware
Organizations also need to step up their defenses against potential ransomware attacks, says Brian Evans, senior managing consultant at IBM Security Services. "This year I have seen a substantial increase in the number and variety of this type of malware," he says.
"Healthcare organizations should take common-sense precautions, including ensuring that their anti-virus solution is enabled with the latest updates applied, along with other security controls that include firewalls, vulnerability management, and intrusion detection and prevention systems," Evans says. "All valuable data should be regularly backed up, with those backups stored off the network so that they cannot be affected. Most importantly, users should be continuously educated not to open or download suspicious email attachments."
Additionally, "I would advise not paying any ransom since there is no guarantee that the attack will actually do as they say once payment is received," he says. "Instead, disconnect the infected computer from the network and take remedial action, such as cleaning the computer or using remedial solutions available from a variety of anti-virus vendors."