Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)
2 Medical Practices Among Latest Ransomware Attack Victims
But Are Such Incidents Underreported to Regulators?A urology practice in Ohio and an eye care provider in Indiana are among the latest victims of ransomware attacks in the healthcare sector. Some security experts suspect that such attacks are still underreported to regulators.
See Also: Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough
NEO Urology in Boardman, Ohio, reportedly paid a $75,000 ransom in bitcoin to unlock its data, according to local news outlet WFMJ.
As of Monday, the NEO Urology incident was not yet listed on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website of major breaches impacting 500 or more individuals.
The ransomware attack on N.E.O. Urology was discovered on June 10 when the practice manager received a fax demanding a ransom to unlock its computer systems, which were encrypted by ransomware, WFMJ reports.
The urology practice contacted an IT firm, which used a third party to pay the ransom to hackers, according to the news report. N.E.O. Urology told police that the hackers “went so deep into their system that it took until Wednesday [June 12] to access their computer systems,” according to WFMJ.
N.E.O. Urology reported to police a revenue loss between $30,000 and $50,000 per day as a result of the attack, according to the news report.
The practice did not immediately respond to an Information Security Media Group request for details and comment about the attack.
Eye Care Attack
Meanwhile, a recent ransomware attack that targeted Evansville, Indiana-based Talley Medical Surgical Eyecare Associates PC is listed among the 10 top largest breaches added so far this year to the HHS tally.
On May 24, Talley reported to HHS an “unauthorized access/disclosure” breach impacting 106,000 individuals and involving the practice’s desktop computer, electronic medical records, email, laptop and network server.
In statement provided to ISMG, Talley said it was the victim of an April 3 ransomware attack that rendered files inaccessible.
”The files that were rendered inaccessible as a result of the attack contained health and demographic information of current and former patients and employees, including name, address, Social Security number, medical information, including diagnosis and treatment, and other related personal information,” the statement notes.
”After investigation and significant effort Talley was successfully able to have the files unlocked,” the statement adds.
Talley’s practice manager declined to tell ISMG whether Talley paid a ransom to unlock it data. “We were able to get our data back, but our practice does not wish to divulge any additional details,” he says.
The FBI and other law enforcement agencies generally advise against paying ransoms because it can encourage more attacks, and there’s no guarantee attackers will unlock data and systems once they receive the ransom.
Talley’s statement notes: “Based on its investigation, Talley has no evidence or indication that any files with the personal information of any patients or employees were accessed or removed; however, affected individuals are being notified.”
The practice says it’s hired outside experts to “review its internal procedures to prevent future incidents. “
Lack of Reporting?
Back in 2016, HHS issued guidance on ransomware that stated most ransomware attacks result in breaches that must be reported under the HIPAA Breach Notification Rule. But some observers believe that many ransomware attacks remain unreported.
“Sometimes organizations do not recognize that an incident qualifies as a HIPAA breach, and this includes ransomware,” says Kate Borten, president of privacy and security consultancy The Marblehead Group. “There may be a tendency to believe patient data has not been compromised and, thus, no breach occurred.”
Susan Lucci, senior privacy and security consultant of tw-Security, says: “By now, we would hope both covered entities and business associates clearly understand their responsibilities to report a ransomware attack based on specific guidance by HHS on this subject.”
The guidance notes that “when ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired – for example, unauthorized individuals have taken possession or control of the information - and thus is a ‘disclosure’ not permitted under the HIPAA privacy Rule,” Lucci points out.
When organizations conduct a breach analysis to determine if there is a low probability of compromise to PHI, which means an incident doesn’t have to be reported to HHS as a breach, they must use caution, Lucci warns. “Should an [HHS] investigation ensue, documentation should be bullet-proof,” she says.
Delayed Detection
Experts caution that attackers often demand a ransom only after the attackers have already spent a long time undetected in a target organization’s systems causing other damage.
“When a ransomware attack results in an immediate demand from the attacker, there's little delay between attack and awareness,” Borten notes. “But a more sophisticated attacker could infiltrate a private network without detection long before launching a ransomware attack holding confidential data hostage.”
As of Monday, the HHS website showed 195 major health data breaches had been added to the tally so far in 2019 affecting a total of nearly 6.3 million individuals.
Among the largest ransomware attacks reported so far in 2019 was an incident impacting nearly 200,000 individuals reported in April by medical practice software and services provider, Doctors Management Services.
The decision to report a ransomware incident to HHS is only one regulatory consideration, Lucci warns.
”One thing important point to remember is, in the case of a ransomware attack, do not forget to check state statutes,” she notes. “Reporting a breach to the OCR [HHS Office for Civil Rights] is one thing, but in this particular case following state’s guidance in reporting this breach to individuals and other requirements is likely to be needed.”