Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Texas Hospital Catches Dharma Ransomware Infection
Altus Baytown Hospital Among Latest Healthcare Cyberattack VictimsAn attack on Altus Baytown Hospital involving a strain of Dharma ransomware has resulted in the Texas hospital reporting to federal regulators a data breach impacting 40,000 individuals.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The attack is among the latest incidents involving ransomware posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the HHS Office for Civil Rights' website lists major health data breaches impacting 500 or more individuals.
The Altus ransomware attack was reported on Nov. 2 by Oprex Surgery L.P. - which does business as Altus Baytown Hospital - as a hacking incident involving a desktop computer and network server, according to the HHS website.
Breach Details
In a statement posted on its website, Baytown, Texas-based Altus Baytown Hospital says that on approximately Sept. 3, it discovered that an unauthorized party gained access to its computer system and infected the system with ransomware.
"The malware encrypted many of ABH's records, which made them inaccessible to ABH, to extort money from ABH," the statement says.
"Although our electronic health records were not impacted, some of the affected files contained patient information, including names, home addresses, dates of birth, Social Security numbers, driver license numbers, credit card information, phone numbers, and medical information."
The Altus statement notes that only servers of Altus Baytown Hospital - and not the Altus Houston Hospital - were involved in this incident. However, information from other affiliated and related entities was stored on these servers. These affiliated and related ABH entities impacted include a Altus women's clinic, a surgery center, an oncology provider and two imaging facilities.
Altus says after learning of the incident, it began an internal investigation and hired an outside IT consultant to assist in decrypting and recovering its records. The consultant identified the malware as a strain of Dharma ransomware, the statement notes. "ABH's back-up files were successfully decrypted and all files were restored." the hospital says.
"As a result of our investigation, ABH believes that the records were simply encrypted and there is currently no indication that the information itself has otherwise been accessed or used by any unauthorized individual," the hospital says.
However, as a precaution, the hospital has reported the incident to regulators and provided all of its affected patients with breach notification so that they can take appropriate steps to safeguard their personal information. Altus is also are providing one year of free credit monitoring services that we are offering to those impacted. Additionally, the hospital says it is implementing "additional safeguards" to prevent future attacks from occurring to the system.
In a statement provided to Information Security Media Group, Altus says it was able to successfully recover from the attack with limited disruption to its hospital operations without paying a ransom.
"We believe that the intent of this ransomware attack was to simply encrypt records in order to extort money from ABH."
Other Attacks
While the Altus attack is the latest ransomware incident posted to the OCR breach website, it is by no means the only HIPAA breach involving ransomware to be recently added to the federal tally.
Among other hacking incidents recently added to the federal tally involving ransomware is a breach reported on Oct. 11 by Hanover, Penn.-based May Eye Care. That incident impacted 30,000 individuals, according the HHS website.
A copy of May Eye Care's breach notification statement posted on blog site Databreaches.net indicates that the server attack occurred on July 29, with ransomware impacting the entity's electronic medical record system.
Protected health information stored on the impacted server included patients' names, dates of birth, addresses, diagnoses, clinical and treatment information, insurance details and a limited number of Social Security numbers, the notification says.
"At this time, there is no evidence to suggest any patients' protected health information has been directly accessed or used without their notification," the statement says.
May Eye Care's notification did not mention the type of ransomware involved in the attack, and the healthcare provider did not immediately respond to an ISMG request for comment.
May Eye Care is not the only eye care center recently hit with ransomware. On Nov. 2, Iowa-based Jones Eye Center and CJ Elmwood Partners, L.P. - the affiliated surgery center of Jones Eye - reported to OCR a breach impacting 40,000 individuals involving ransomware (see Eye Clinic Sees Quick Recovery From Ransomware Attack).
Troubling Trends
Healthcare providers are often vulnerable to the type of ransomware strain involved in the Altus attack, notes Max Henderson, senior security analyst and incident response lead at consulting firm Pondurance.
"Healthcare entities are especially susceptible to Dharma due to a large industry recurrence of both vendor credential theft and vendor credential re-usage on exposed remote desktop protocol with single-factor authentication," he says.
While healthcare entities need to be prepared to deal with any potential cyberattack, some variants of ransomware are more troubling than others, other experts note.
"Healthcare organizations should be worried about all ransomware," says Keith Fricke, principle consultant at tw-Security.
However, "the variants that destroy data, such as NotPetya are particularly nasty because data destruction without backups leaves an organization in a bad situation," he notes. "At least with 'traditional' ransomware, having the option of paying for the decryption key is better than the malware intentionally deleting the data."
Henderson predicts that "cyberattack threat vectors in 2019 will likely continue with recent, frequent trends of leveraging vendor access for pivoting inside of networks, where often neglected considerations of the account's privileges and routes to internal infrastructure pave the way for a seamless compromise."
In addition, Henderson warns: "We also caution companies to be wary of the crypto jacking trend that has seen a spike in 2018."
Breach Determination
Meanwhile, not all victims of ransomware attacks in the healthcare sector even appear to report the incidents to HHS as HIPAA breaches, despite OCR issuing guidance in 2016 saying that in most cases, ransomware attacks result in reportable breaches.
"HHS has provided guidance in the form of a 'Fact Sheet on Ransomware and HIPAA' that a breach has occurred because the data encrypted as a result of ransomware are by the unauthorized 'access' [that] qualifies it as a breach event," notes Susan Lucci, a senior privacy and security consultant at tw-Security.
The HHS fact sheet explains that if the organization can demonstrate a low probability that electronic PHI has been compromised through the four-step risk assessment, then it would not qualify as a reportable breach, Lucci notes.
"This analysis must be carefully and meticulously documented. The questions and answers should be thoughtfully recorded with rationale provided. Then also be certain that all incident information is retained for a minimum of six years," she advises.