Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted

The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has experienced a ransomware attack that has resulted in the encryption of files on one of the agency’s servers. Those files contained the protected health information (PHI) of 8,750 patients.

The attack occurred on September 5, 2017 and was immediately recognized by ECKAAA, which took prompt action to limit the spread of the infection. As a result, only parts of the server had files encrypted. Those files were discovered to contain names, telephone numbers, addresses, birthdates, Medicaid numbers, and Social Security numbers.

ECKAAA hired a cybersecurity firm to assist with the investigation and determine the true extent and nature of the attack. The investigation revealed the ransomware variant used was a variant of Crysis/Dharma – a ransomware variant known to encrypt files stored locally, on mapped network drives, and unmapped network shares. Crysis/Dharma ransomware also deletes shadow volume copies to hamper recovery.

While the investigation uncovered no evidence of exfiltration of data, the possibility of data access and data theft could not be ruled out. ECKAAA reports that while not all files on the server were encrypted, the attackers potentially had access to all files saved on the server.

Prior to the ransomware attack, ECKAAA had implemented safeguards to protect against malware attacks and to ensure files could be recovered in the event of disaster. Consequently, it was possible to recover all the encrypted files without paying the ransom.

Since the protections in place were not sufficient to block the ransomware attack on this occasion, ECKAAA has implemented a number of new measures to improve security. Those measures include the use of CrowdStrike advanced malware agents and subscription to Cisco Umbrella Insights to improve security monitoring.

Additional training has also been given to staff to improve awareness of the threat from ransomware, a full password reset has taken place, and staff have been reminded about the importance of selecting strong passwords. A review of policies and procedures is also taking place and they will be updated accordingly to reduce the risk of future attacks occurring.

ECKAAA conducted a fully HIPAA-compliant breach response. The incident was reported to the Department of Health and Human Services’ Office for Civil Rights, a substitute breach notice was placed prominently on the ECKAAA website, and media reports were submitted to prominent newspapers serving each of the five counties in which the agency operates. All individuals have now been notified of the potential breach of their PHI by mail.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.