Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients

A recent Cardiology Center of Acadiana ransomware attack has resulted in the exposure of almost 9,700 patients’ protected health information. The ransomware attack occurred on February 7, 2017 and was discovered the following day.

The attackers targeted a server used by the Lafayette, LA-based cardiology practice and deployed ransomware, which encrypted a range of files containing patients’ names, dates of birth, addresses, billing information, clinical data, medical images and social security numbers.

Cardiology Center of Acadiana has not disclosed exactly how the attack occurred, nor the variant of ransomware used in the attack, although the breach report suggests the attackers utilized open external ports on the server. All external ports have now been closed to prevent future attacks and the cardiology center’s antivirus protections have been upgraded.

Cardiology Center of Acadiana has not received any reports suggesting patients’ PHI has been copied or misused, although all patients impacted by the incident have been advised to exercise caution in case the attackers were able to steal their PHI.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 9,681 patients were impacted.

A recent study published in JAMA Internal Medicine indicates larger healthcare organizations face a higher risk of experiencing data breaches, but when it comes to ransomware, healthcare organizations of all sizes are at risk.

So far in 2017, the following healthcare organizations have reported being attacked with ransomware:

Ashland Women’s Health

ABCD Pediatrics

Estill County Chiropractic

Urology Austin

Metropolitan Urology

Cosmetic Surgery Center

Steps to Take to Protect Against Ransomware Attacks

Unfortunately, there is no single cybersecurity solution that can be deployed to prevent ransomware attacks. The best approach is to adopt a layered approach to cybersecurity which should include an advanced firewall along with solutions to block the main attack vectors.

Anti-virus and anti-malware solutions should be implemented and malware definitions kept up to date, a spam filtering solution should be deployed that is capable of analyzing inbound emails and blocking email attachments that pose a threat. Web filter should also be considered to reduce the risk of attacks via exploit kits. Word Macros should also be blocked.

Ransomware will typically run in the app data and local app data folders. Many cybersecurity solutions prevent ransomware from being executed in these folders if downloaded. Ransomware typically requires access to a C2 server to allow data to be encrypted. An intrusion detection system (IDS) can be used to block those communications and prevent file encryption.

In addition to technical solutions, all users should receive security awareness training highlighting the risk of opening email attachments from unknown senders, running macros, or installing unauthorized software.

Steps should also be taken to reduce the impact of a ransomware attack. Regular backups should be performed to ensure data can always be recovered. User privileges should also be restricted as ransomware will gain access to the same resources as the user. Access to mapped network drives should therefore be restricted.

Most ransomware attacks are not targeted. Cybercriminals take advantage of vulnerabilities that have not been addressed to gain access to end points and servers. It is therefore important to ensure security patches are applied promptly and vulnerability scans are regularly performed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.