Decatur County General Hospital in Tennessee discovered on November 27, 2017 that its server housing the electronic medical record system has been installed with malware. This gave the attacker potential access to the medical records of about 24,000 patients.
The hospital’s medical record system vendor and the one who maintains the server installed the software without authorization. Apparently, the software was a type of malware called cryptocurrency miner. This malware uses the computer’s processors to verify cryptocurrency transactions, which are added to the public ledger containing details of all transactions. Anyone with a computer can perform cryptocurrency mining and is paid for verifying the transaction.
With a single computer, a person doing cryptocurrency mining can earn a few dollars per day. With a large number of computers infected with cryptocurrency miner, one can earn substantial earnings. This is the reason why cryptocurrency malware infections have increased recently.
Sometimes, computers with cryptocurrency mining malware may slow down considerably. But it’s not always apparent. In Decatus County General Hospital’s case, the malware was left undetected for over two months. So, it must have been installed some time September 22, 2017.
The cryptocurrency miner is not normally associated with data theft. But in this case, the attacker gained access to the server when he installed the malware and could possibly have accessed patient data.
This case of server breach and malware infection went through in-depth investigation. No evidence suggests that data theft occurred, but it’s not 100% certain that data access did not occur. Hence, hospital patients were notified that their PHI could have been compromised. Compromised data stored on the server included names, addresses, dates of birth, Social Security numbers, insurance billing information, diagnoses and treatment. As extra precaution, patients affected by the breach were offered 12-months credit monitoring services through True Identity for free.
Since the incident, there are no reports of patient information misuse. It is believed that the attacker simply want to install the malware and not steal data. Nevertheless, patients were advised to monitor their accounts for fraudulent activities.