'Survivor' Lessons from an Attack on Dental PracticeFlorida Dentist Describes Recovering from Ransomware Attack
Dentist Carl Bilancione is a survivor in more ways than one, including surviving a recent ransomware attack.
The former contestant on the reality TV show Survivor (season 3, in 2001) also survived a terrible bicycling accident in 2014 that left him in a body brace for five months. Now, his Maitland, Florida dental practice is recovering from a recent ransomware attack.
"Small businesses need to be aware and ready for these attacks."
Maitland Dentistry discovered on July 17 that it was a victim of a ransomware attack that appears to have been targeted - and was limited - to a computer running the practice's QuickBooks accounting software, Bilancione tells me.
During the process of trying to remediate the situation, the practice's IT staff realized that while the accounting system was set up to automatically back up, a "glitch" prevented the last five months of data from being backed up.
In order to unlock the encrypted data, attackers demanded a ransom of $10,000 - cash to be wired, not paid in bitcoin - and threatened that the ransom would double in 48 hours, Bilancione says. But the local sheriff department warned the practice that if it paid, there was no guarantee data would be unlocked, and paying would make the Maitland Dentistry even more of a target for future attacks.
So instead of paying the ransom, the practice is having its accountant restore the last five months of lost data. Not great, but much better than shelling out thousands of dollars to cybercriminals, he says.
"These attackers buy kits that target QuickBooks," he says. "We have firewalls, back up and other security precautions, and we were still hit," he says.
Lessons to Learn
One of the lessons he hopes other smaller healthcare practices - and for that matter, all small businesses, including those run out of homes - is to realize that they too are in the crosshairs of attackers, and must be ready to defend against the threats, he says.
"Make sure your data is being backed up daily, not once a week or once a month," he says. Maitland Dentistry is also setting up new policies, including having any online purchasing done only on a dedicated computer that's segregated from the rest of the office's network, he says.
While the practice still isn't exactly sure how the affected computer got compromised, Bilacione says one theory is that it might have gotten infected while one of the other dentists was browsing at wines on a French online retail site online.
Fortunately, no patient or employee information was compromised in the attack impacting the QuickBooks software, he contends. "There were no patient names, records, payroll information, Social Security numbers or anything like that" contained in computer running the QuickBooks system, he says. "Only dental supplies, utilities, and things like that."
Bilacione and his Maitland Dentistry colleagues survived the ransomware attack with minimal disruption, he says - especially compared to ransomware attacks some other healthcare entities and municipalities in Florida, and elsewhere, have been dealing with in recent weeks.
That includes an attack on the city of Riviera Beach, Florida, which recently agreed to pay hackers about $600,000 in bitcoin to end a ransomware attack that crippled the city's IT infrastructure for nearly a month (see Florida City Paying $600,000 to End Ransomware).
But many government municipalities, just like healthcare sector entities - especially smaller, more thinly resourced organizations - are finding that hackers don't care about the havoc they wreak on victims. "The hackers are just looking to make a buck wherever they can," Bilacione says.
Maitland Dentistry, which has three dentists and 10 employees, certainly isn't the only small provider recently hit by ransomware. And since the practice's patient records apparently weren't impacted by the attack, Maitland Dentistry is one of the more fortunate victims in the healthcare sector, compared with some others.
For instance, a ransomware attack earlier this year against Southeastern Council on Alcoholism and Drug Dependence, Inc., a Lebanon, Connecticut-based not-for-profit provider of inpatient, outpatient and residential treatment for substance abuse disrupted operations for several days.
But the attack also led to weeks of challenges for SCADD, including difficulties in notifying 25,000 individuals, including many indigent former patients whose information may have been exposed.
Those breach notification and related expenses were estimated to run as high as $100,000, Jack Malone, SCADD president and executive director told me in May. Thankfully, SCADD had a cyber insurance policy that was expected to cover the costs.
Otherwise, "that's a door-closing event," Malone told me. "We're a small, community-based non-profit," he noted.
Bilacione is also aware that his practice came away from its attack lucky, compared to what might've happened. "Small businesses need to be aware and ready for these attacks," Bilacione says. "It could wipe you out."