Ransomware thieves are becoming more organized and savvy. Healthcare is a prime target for a dizzying list of ransomware groups today who steal data and extort payments. The list of sophisticated ransomware groups is growing every day. Today’s story illustrates how simple the attack can be, but how devastating the result is.
A ransomware group calling itself “Conti” recently stole almost 2 million patient files from Leon Medical Centers (LMC) in Miami and published the data on a leak site. Conti then published their methods through DataBreaches.net. The information Conti leaked so far includes social security numbers, photos, and files with payroll, banking, bank statements, card statements, and more, for both employees and patients.
LMC is a comprehensive outpatient healthcare system that includes seven medical centers. It offers a full range of healthcare services to Medicare patients including classes and events, transportation services, and pharmacy.
More Patient Data Leaks are Threatened
A tactic cyberthieves use is to gradually leak data a chunk at a time to apply pressure on an organization to pay ransom. As of today, Conti has not leaked all the data it holds, but they’ve revealed what might still be coming. DataBreaches.net reports:
While there was a large amount of information on named employees, there was even more data on patients. Apart from listings of named patients who had tested positive for COVID-19 (lists that were seemingly be sent to the Florida Department of Health), two folders that Conti allowed DataBreaches.net to view were particularly concerning. One directory contained more than 1.47 million files that appeared to be scans of patient appoint/service records from 2013-2015.
The patient data includes first and last names, gender, age, date of birth, date and time of appointment, referring physician’s name, provider’s name, and the reason for a visit or appointment.
Ransomware Comes in the Front Door
In response to DataBreaches.net’s question, “how did you do it?” Conti replied with a brief statement that appears to be what they sent to LMC as the attack began weeks ago.
Below is the first few sentences from Conti’s statement – this is all you need to get the point, that the initial break-in is simple:
In September we sent you an email containing the exploits in the attached document. It was opened by a user with citrix access. Then, using the CVE-2020-0796 vulnerability, rights were raised to the local administrator. After that, using the program Blood Hound… (italics added for emphasis)
(Read the full statement on DataBreaches.net’s blog)
HIPAA Breach Notification
Leon Medical Center has a lot of work ahead. They are currently in the midst of their own cyber investigation to assess the causes, the extent of the losses, and how to recover. They’ll be watching for more data dumps.
Beyond that they need to conduct a HIPAA Breach Analysis to determine what their HIPAA obligations are – most likely they’ll need to notify all affected patients, the media, and the U.S. Department of Health and Human Services on its data breach website.
Prevention includes HIPAA Compliance and Training
Defense against cyber attacks requires multiple layers, from malware/anti-virus protection to workforce training. A HIPAA Risk Analysis will uncover weaknesses that can be addressed with a Risk Management Plan. And the Security Rule Checklist in the Risk Analysis digs deeper to identify gaps in the use of electronic records.
The most devastating cyber attacks often begin through email, with a simple request to click a link or open an attachment. Cybersecurity training to help staff undo these habitual responses can help slow or stop attacks. This training does not need to be complicated or lengthy – The HIPAA E-Tool® has everything needed to beef up defenses against the worst attacks and maintain compliance under HIPAA.