Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response

'Virus Infection' Prohibits Access to Patient Records

Attack on a California Medical Group Affects Nearly 198,000 Individuals
'Virus Infection' Prohibits Access to Patient Records

A recent cyberattack on a California medical imaging and oncology services provider, which prohibited access to patient data, is one of the largest health data breaches reported so far this year.

See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You'll Meet Your Adversaries

Ontario, Calif.-based Centrelake Medical Group reported on April 16 to the Department of Health and Human Services a hacking/IT incident affecting nearly 198,000 individuals, according to HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website.

Commonly called the "wall of shame", the OCR website lists health data breaches impacting 500 or more individuals. As of April 25, the Centrelake incident was the sixth largest health data breach added to the federal tally so far this year.

So far in 2019, hacking/IT incidents have been reported in nine of the 10 largest health data breaches posted on the federal tally.

Impact of Virus

In its breach notification statement, Centrelake - which has eight patient care facilities in Southern California - says that on Feb. 19, it discovered that its information system "had been infected with a virus that prohibited our access to our files."

Although the description of malware preventing access to Centrelake's systems sounds like a ransomware attack, "ransomware" was not mentioned in the entity's statement.

Centrelake did not immediately respond to an Information Security Media Group request for additional details about the incident.

The organization's statement notes that a forensics review of the incident determined that a "virus" was introduced by an unknown third party that had access to certain servers on the entity's network that contain information on current and former patients.

"After a review of available forensic evidence, we determined that suspicious activity began on our network on Jan. 9, 2019, lasting until the virus infection on Feb. 19, 2019," Centrelake says.

So far there's no evidence that the intruder accessed or acquired personal data stored on the servers, the statement says.

The provider organization says the affected servers housed files and software applications containing patient information that may include names, addresses, phone numbers, Social Security numbers, services performed and diagnosis information, driver's license information, health insurance information, referring provider information, medical record numbers, and dates of service.

Centrelake says it is offering one year of prepaid identity and credit monitoring to affected individuals.

"In addition to launching the ongoing investigation and restoring the integrity of our information system, we are reviewing our policies and procedures and enhancing the security of our information system to mitigate the risk an incident like this will occur in the future," Centrelake says.

'Destructive Malware'

If the "virus infection" that at least temporarily prohibited Centrelake from accessing its patient and other data was not ransomware, it's possible that the incident involved another destructive malware, says Keith Fricke, principal consultant at tw-Security.

"Two types of malware come to mind and both are destructive," he says. "One type could be encrypting files without the intent of collecting a ransom. The other type could be malware that deletes data, similar to the NotPetya malware seen last year."

Chip Henderson, a senior security analyst at Pondurance, a cybersecurity services provider, offers a similar assessment.

"While ransomware is really the only malware type that would prevent access to files, there may be other reasons during an investigation that makes user data inaccessible," he notes.

"For instance, if stealth malware, such as a Trojan, was found on a server, that server may need to be taken offline for remediation, rendering any applications or databases running on the server unusable for a period of time," he says.

Additionally, if a cryptojacker/cryptominer, which leverages the server's resources for mining bitcoins, was installed, it could potentially cause severe resource constraints by pegging the RAM/CPU which could in turn affect the availability of certain services running on the server, he says.

"Other potential scenarios involve self-propagating malware, such as qbot, that brute forces account passwords to spread and can cause account lockouts," he adds. "However, one might have expected a symptom such as that much earlier in the attack lifecycle."

"If an adversary successfully gains a foothold, there is still a period of time before the adversary is successful in accomplishing their mission."
—Chip Henderson, Pondurance

It's not unusual for an organization to report, as Centrelake did, that suspicious activity commenced weeks before it lost access to its data, Fricke says.

"Intruders often have unauthorized access for a while before being detected. The current metric I've heard recently is that attackers are in a network for about 74 days on average before being detected," he notes. "In the Centrelake situation, it may have been that the intruder was performing reconnaissance on the network to find where information of interest was located before initiating the malware."

Taking Action

So, what can other organizations do to prevent these kinds of attacks that limit access to data?

"Monitoring network activity 24x7 is a necessity and becoming the norm these days," Fricke says. "It is a common practice to outsource that capability because it is difficult to maintain employed staff to perform the monitoring and analysis around the clock.

Keeping security patches, end point and server protection up to date is important, Fricke adds. "Scanning your own networks regularly for vulnerabilities and addressing high risk ones before criminals find them is also a must-do."

While prevention is important, effective detection also is essential, Henderson says. "If an adversary successfully gains a foothold, there is still a period of time before the adversary is successful in accomplishing their mission," he says.

"If the adversary can be identified, contained, and eradicated during this window, then it is still a win for the blue team, and this capability all comes down to network visibility and trained analysts hunting for threats in the network. You can't thwart attacks in progress that you never see."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.