The Associates in Psychiatry and Psychology (APP) based in Rochester, MN had a ransomware attack which affected the computers storing the patients’ protected health information (PHI). APP discovered the attack on March 31, 2018. The good news is the information of patients contained in the affected computers was not “human-readable.” There was also no report received that indicate the patients’ PHI was viewed or duplicated by the attackers.
Since it’s not 100% certain that unauthorized data access did not occur, the patients whose information was potentially compromised were given notification about the security breach. The information potentially exposed included the patients’ names, dates of birth, addresses, insurance details, Social Security numbers and treatment information.
Upon discovery of the attack, APP immediately took its systems down to halt the ransomware attack and limit the potential encryption or stealing of data. It took APP 4 days to assess the attack during which the systems remained offline. Based on the information released by APP after the investigation, the attack was believed to have occurred on the evening of March 30, Friday, until the following morning of March 31, Saturday. The ransomware used in the attack was known as “Triple-M.” This variant utilizes the RSA-2048 encryption protocol and extremely long keys for data encryption. The attacker also disabled the system restore function and reformatted the network’s storage device so it’s impossible to restore backups.
Steve Patton, who is APP’s IT Director, admitted to databreaches.net that the company paid ransom because backup files recovery was not possible. The initial ransom demand was 4 Bitcoin or the equivalent of $30,000, but APP managed to negotiate and paid only 0.5 BTC or about $3,758 in exchange for the encryption keys. So, APP was able to fix all systems and data now. Security and encryption was additionally improved. The remote access policies were also updated.
APP submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights and indicated that 6,546 patients were potentially affected by the ransomware attack. Though it was clear that the attackers did not view the patients’ PHI, APP still advised the affected persons to check their credit reports to make sure there were no fraudulent transactions.