HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

American Dental Association Mails Malware-Infected USB Drives to Members

A recent mailing sent to American Dental Association (ADA) members included a USB stick containing malware. The USB drive contained a file with code that directed users to a domain which could enable cybercriminals to install malware, potentially allowing them to gain control of computers.

The USB stick sent by the ADA was a credit card-sized drive that can be plugged into a laptop computer or a desktop. The device was used to send an electronic copy of the 2016 CDT manual containing dental procedure codes.

One recipient of the device decided to check the contents of the USB stick on a spare machine as he was wary of using the device on a machine that contained sensitive data. He discovered the drive contained an HTML launcher in a hidden iframe that contained a potentially malicious URL with a Chinese ccTLD. An autorun file was also included on the device according to his DLS Reports post. ADA was informed about the malware infection and an investigation was launched.

ADA informed Krebs on Security that the infection was introduced on certain devices during production in China. 37,000 of the devices were manufactured and mailed in total, although not all had been infected with malware. The infection was believed to be limited to a small percentage of the devices.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

One of the duplicating machines had been infected during production and transferred that infection to the clean image used to transfer data onto the devices. The infection was believed to have been introduced on one of three production runs.

That company that manufactured the devices was a subcontractor of a company contracted by the ADA. A sample of the devices was tested prior to shipping, although those tests did not reveal any malware infection.

ADA emailed members for whom it had an email address and advised them to trash the USB device if it had not been already used. Members were also emailed a link which could be used to obtain an electronic copy of the manual which was sent on the USB sticks. Members were also told “Your anti-virus software should detect the malware if it is present.”

This incident has caused ADA to review its policy of sending files to members on USB drives.

USB drives are a common source of malware. Plugging in an infected USB drive can result in a virus being transferred undetected or code being run automatically. HIPAA covered entities should be wary about plugging in any unknown USB drives into computers used to store the PHI of patients, even when the devices have been sent from a trusted source such as the ADA.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.