Ransomware Attack Affects 300,000 Patients of Women's ClinicRecovery Was Quick, But Detection Took Months
A hacker attack on a women's healthcare clinic that impacted hundreds of thousands of patients ranks as the second largest ransomware related health data breach reported to date to federal regulators.
In July 18 statement posted on its website, Women's Health Care Group of PA, an obstetrician/gynecology practice based in Oaks, Penn., says that the clinic discovered in May that a server and workstation located at one of its offices had been "infected by a virus designed to block access to system files."
However, forensic analysis indicates that the attack might have begun as early as January, WHCGPA says.
"As part of our investigation, we learned that external hackers gained access to our systems, as far back as January 2017, through a security vulnerability. We also believe the virus was propagated through this vulnerability," the healthcare organization says.
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, says it's not uncommon for malware, including ransomware, to be installed in systems for long periods of time before they're noticed or activated.
Factors include the kind of malware used and the triggers for attacks, she says. "There are different types of ransomware. Triggers to launch them are typically upon opening a file, or even booting the computer. But, they could also be time-based, date-based, action-based, etc.," she notes.
Keith Fricke, principal consultant at tw-Security notes recent metrics that suggest that on average, criminals have gained unauthorized access to an organization's internal network for just over 200 days before being detected.
"For unauthorized access to a network, the delays in detection are usually because intruders try to fly under the radar," he says. In addition, many organizations do not have adequate and/or timely intruder detection methods.
However, "in contrast, ransomware makes itself known in much shorter periods of time because criminals want to collect their ransom fee," Fricke says.
In its statement, WHCGPA says that although the "security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident."
The clinic adds that "the encrypted files were promptly restored from our back-up server and the incident had no effect on our ability to continue to provide patient care nor was any information lost."
The types of files that could have been accessed may have contained patient name, address, date of birth, Social Security number, lab test ordered and results, telephone number, pregnancy status, medical record number, blood type, race, employer, insurance information, diagnosis, and physician's name, the clinic says. However, no driver's license, credit card or other financial information was stored in any files on the compromised server.
WHCGPA is making available one-year of free credit monitoring to affected individuals, and says in its statement that it's "conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future."
The clinic reported the case on July 15 to the Department of Health and Human Services as a "hacking/IT incident" impacting 300,000 individuals, according to the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website, commonly called the "wall of shame". The federal website lists major health data breaches impacting 500 or more individuals.
WHCGPA says in its statement that the incident was also reported to the FBI. The clinic declined Information Security Media Group's request for comment and details about the incident.
A separate statement on WHCGPA's website notes that the organization is comprised of 25 divisions, with 45 locations throughout Montgomery, Chester, and Delaware Counties in Pennsylvania - but is merging with New Jersey-based Regional Women's Health Group, to form a new entity Axia Women's Health, which collectively will be comprised of more than 275 healthcare providers in approximately 100 patient care centers in both states.
To date, the only larger breach posted on the federal website known to have involved ransomware was reported in June by Airway Oxygen, a Michigan-based provider of oxygen therapy and home medical equipment. That breach impacted 500,000 individuals.
Of the 2,009 health data breaches posted on the "wall of shame" website as of July 28, only 12 "hacking/IT incidents" are officially noted by OCR as having involved ransomware.
In July 2016, OCR issued guidance for covered entities and business associates instructing them that in most cases, ransomware attacks are reportable HIPAA breaches. Nevertheless, relatively few have been added to the federal tally. Some privacy and security experts say that could be due to lingering uncertainty about whether these incidents indeed result in compromises to protected health information that require reporting to federal regulators.
While the WHCGPA ransomware incident appears to have started months before it was detected, there are steps other organizations can take to effectively notice early signs of such attacks, Herold says.
"The time from a virus being introduced into a system and being discovered could take days, weeks, months, or even years," she notes. Detection of ransomware depends on many factors, including type of files infected and how often they're actually accessed; type of malware and triggers to launch a virus payload; and the kinds of security technology deployed, such as anti-malware, she says.
Herold notes that early-warning signs of a potential malware infection or imminent attacks that entities' employees should heed include:
- Social media posts from friends that are uncharacteristic, especially those asking the user to click on a video or photo;
- Emails, text messages, or other types of peer-to-peer messages telling the user they've won something or owe a payment, as well as attachments to messages sent from unsolicited and unknown sources;
- Computers running slower than usual;
- Unusual or new types of pop-ups showing up on computers.
Steps to Take
In addition to educating users not to click on phishing messages, Fricke says that to prevent falling victim to ransomware attacks, all entities need to patch vulnerabilities, run endpoint protection solutions designed to detect and stop malware infections - including ransomware - and make sure data gets backed up frequently.
Since WHCGPA says it was able to restore files promptly from backups after detecting the ransomware, Herold says that's a critical reminder to other healthcare entities about the importance of having a solid disaster recovery plan ready to implement immediately in the wake of an incident.
"Too many organizations, after all these decades, still do not have such necessary practices in place," she says.
Also, among systems and data that should be backed-up, yet are sometimes neglected by healthcare entities, are email repositories, photo and video vaults, and electronic health record databases, she adds.