Breach Notification , Fraud Management & Cybercrime , Healthcare

West Virginia Hospital to Report Breach in 'Donut' Data Leak

CEO Says Ransomware Attack Encrypted, Exfiltrated Legacy Data From 'Old Servers'
West Virginia Hospital to Report Breach in 'Donut' Data Leak
Image: Montgomery General Hospital

A West Virginia hospital will soon begin notifying patients and employees affected by ransomware attackers who leaked data on the dark web.

See Also: Reducing Complexity in Healthcare IT

Montgomery General Hospital detected "irregular" activity involving malware on its IT systems on Feb. 28, and a ransomware incident occurred on March 1, the entity's CEO, Deborah Hill, told Information Security Media Group.

The hospital promptly contacted security firm Arctic Wolf to assist in the recovery and reported the incident to the FBI and the Department of Homeland Security, Hill said. It also called its cyber insurance provider. The investigation so far has determined that the incident started with an email phishing attack, she said.

The ransomware "locked up three or four severs" containing mostly historic "institutional data," including budget documents, cost reports and payments to vendors, Hill said.

The attackers demanded a $750,000 ransom in exchange for a decryptor key and the promised deletion of exfiltrated data. "We could have attempted to pay the ransom, but the data was so old that it wasn't worth paying," Hill said. "We were advised not to pay" by law enforcement, she added.

The hospital can still obtain much of the information stored on the affected servers, such as cost reports, through vendors that have copies and backups, Hill said.

The hospital's cloud-based electronic health records were not compromised by the incident but for about 24 hours, the hospital took that system off the internet as a precaution. Staff were still able to access patient information through "hot spots," she said.

Hill said the hospital is aware that at least some of the stolen data was posted on the "Donut Leaks" website.

Montgomery General, a critical access hospital that has 25 acute care beds and 44 long-term care beds, plans to report a data breach to regulators and to notify affected patients and employees within the 60-day HIPAA breach reporting deadline, Hill said.

Individuals whose Social Security numbers were compromised in the incident will be offered complimentary credit and identity monitoring, she said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.