Share this article on:
A recent mailing sent to American Dental Association (ADA) members included a USB stick containing malware. The USB drive contained a file with code that directed users to a domain which could enable cybercriminals to install malware, potentially allowing them to gain control of computers.
The USB stick sent by the ADA was a credit card-sized drive that can be plugged into a laptop computer or a desktop. The device was used to send an electronic copy of the 2016 CDT manual containing dental procedure codes.
One recipient of the device decided to check the contents of the USB stick on a spare machine as he was wary of using the device on a machine that contained sensitive data. He discovered the drive contained an HTML launcher in a hidden iframe that contained a potentially malicious URL with a Chinese ccTLD. An autorun file was also included on the device according to his DLS Reports post. ADA was informed about the malware infection and an investigation was launched.
ADA informed Krebs on Security that the infection was introduced on certain devices during production in China. 37,000 of the devices were manufactured and mailed in total, although not all had been infected with malware. The infection was believed to be limited to a small percentage of the devices.
One of the duplicating machines had been infected during production and transferred that infection to the clean image used to transfer data onto the devices. The infection was believed to have been introduced on one of three production runs.
That company that manufactured the devices was a subcontractor of a company contracted by the ADA. A sample of the devices was tested prior to shipping, although those tests did not reveal any malware infection.
ADA emailed members for whom it had an email address and advised them to trash the USB device if it had not been already used. Members were also emailed a link which could be used to obtain an electronic copy of the manual which was sent on the USB sticks. Members were also told “Your anti-virus software should detect the malware if it is present.”
This incident has caused ADA to review its policy of sending files to members on USB drives.
USB drives are a common source of malware. Plugging in an infected USB drive can result in a virus being transferred undetected or code being run automatically. HIPAA covered entities should be wary about plugging in any unknown USB drives into computers used to store the PHI of patients, even when the devices have been sent from a trusted source such as the ADA.