Blue Springs Family Care in Missouri was attacked with ransomware resulting in the encryption of patients’ protected health information. The healthcare provider’s computer vendor detected the ransomware attack on May 12, 2018 and an investigation into the security breach was launched. A computer forensics company was also called in to assist with the investigation.
Ransomware is often automatically downloaded when end users open infected email attachments, although in this case, similar to the method used by the threat actors behind SamSam ransomware, the payload appears to have been manually deployed once access to the network was gained. Ransomware was not the only malware installed on the network, other malicious files were detected.
With those malware variants in place, the attacker had full access to the computer systems of Blue Springs Family Care, which include the system that manages all the protected health information (PHI) of patients. At the time that notification letters were sent to patients, there were no indications that any PHI had been misused and neither was evidence uncovered to suggest PHI had been stolen by the attacker. However, with full access to the system for some time prior to the deployment of ransomware, it is possible that patients’ PHI was accessed and stolen.
The PHI that the hacker potentially accessed includes full names, addresses, birth dates, account numbers, Social Security numbers, diagnoses, disability codes and driver’s license numbers.
The computer forensics company was able to quarantine all systems rapidly to prevent any further accessing of data and new cybersecurity solutions have now been deployed that will improve the monitoring of systems for signs of compromise and a new firewall has also been implemented. In addition, Blue Springs Family Care will be using a new electronic medical record (EMR) system that encrypts all data, which will prevent any further security breach from resulting in the exposure or theft of PHI.
Blue Springs Family Care has submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights which indicates 44,979 patients have had their PHI exposed.