Share this article on:
Decatur County General Hospital in Tennessee has discovered malware has been installed on a server housing its electronic medical record system. The attacker potentially gained access to the medical records of up to 24,000 patients.
An unauthorized software installation was discovered on November 27, 2017 by the hospital’s medical record system vendor, which is also responsible for maintaining the server on which the system is installed. An investigation revealed the software was a form of malware known as a cryptocurrency miner.
Crytptocurrency mining is the use of computer processors to verify cryptocurrency transactions and add them to the public ledger containing details of all transactions since the currency was created. The process of verifying transactions requires computers to solve complex computational problems.
Cryptocurrency mining can be performed by anyone with a computer, and in return for solving those computational problems, the miner is rewarded with a small payment for verifying the transaction.
A single computer can be used to earn a few dollars a day performing cryptocurrency mining. Large numbers of computers can generate reasonable profits. An army of cryptocurrency mining slave computers, such as those infected with cryptocurrency mining malware, can generate substantial earnings. Cryptocurrency malware campaigns and infections have soared in recent months.
Since cryptocurrency mining requires a considerable amount of processing power, computers infected with the malware may slow considerably, although it may not always be apparent that infection has occurred. In the case of Decatur County General Hospital, the malware infection was not identified by its EMR vendor for more than two months. The malware is believed to have been installed on or before September 22, 2017.
Cryptocurrency mining malware typically only has one function. The malware is not normally associated with data theft. However, in this instance, the attacker is believed to have gained access to the server in order to install the malware. Access to patient data was therefore possible.
Decatur County General Hospital conducted an in-depth investigation into the server breach and malware infection, and while no evidence of data access or data theft was uncovered, it was not possible to reasonably verify that data access had not occurred. Therefore, the decision was made to issue notifications to patients that protected health information had potentially been compromised.
Due to the sensitive nature of data stored on the server – names, addresses, birth dates, Social Security numbers, diagnoses, treatment information, and insurance billing information – all patients impacted by the incident have been offered credit monitoring services for 12 months through True Identity without charge.
No evidence of misuse of patient information has been reported to date and the hospital believes the sole purpose of the attacker was to install the malware, not to steal patient data. However, patients have been advised to exercise caution and monitor their accounts, credit, and EoB statements for any sign of fraudulent activity and to be wary of any communications received via the telephone, mail, or email about the incident.