PHI of 1,882 UVa Patients Exposed Due to Malware Infection

A professional hacker accessed the healthcare records of about 1,900 patients of the University of Virginia Healthcare System by infecting the device used by a hospital physician with malware. For more than 19 months starting May 3, 2015 to December 27, 2016, the hacker viewed the healthcare records of 1,882 patients. Whenever the doctor would access the healthcare records, the hacker could view the names, addresses, dates of birth, diagnosis, and treatment details of patients in real time.

The hacker lost access to the protected health information of patients in late 2016, however UVa did not know about the breach for a year. The FBI informed UVa of the security breach on December 23, 2017, right after a investigating the hacker’s activities. Patients affected by the breach were informed by mail in Feburary 2018. UVa has since enforced several security controls to circumvent more incidents like this from happening.

The hacker responsible for the malware infection was Phillip R. Durachinsky of North Royalton, Ohio. He was likewise responsible for the Mac malware known as Fruitfly which he created over 13 years ago. In a period of 13 years he spied on businesses, schools, healthcare organizations, government offices and a police department. The malware gave him complete access to electronic devices. He could upload and download documents, record keystrokes and get screen shots by tapping into webcams.

In his latest case, there are other companies that were also impacted besides UVa. Durachinsky accessed sensitive information such as financial records, photographs, tax records, and internet search history. He similarly allegedly took photos using his victims’ webcams and kept notes of pertinent information. The FBI’s investigation still continues to know the range of Durachinsky’s illegal activities.

The FBI discovered that an IP address associated with the malware was used to open the hacker’s email account at Case Western Reserve University. That is what led to the arrest of Durachinsky. Proof of the magnitude of his activities was the more than 20 million pictures the FBI agents found on his devices.

Subsequent to his arrest, Durachinsky was charged in a 16-count indictment for various computer violations, which include the Computer Fraud and Abuse Act and Wiretap Act, plus aggregated identity theft and child pornography.