Colorado Allergy Clinic Reports Ransomware Attack

Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR) has experienced a ransomware infection on computers used to store the electronic protected health information (ePHI) of patients. The computers that were locked with the malicious file-encrypting malware contained the health records of 6,851 patients. The ePHI stored on the computers included patients’ names, medical test results, and Social Security numbers.

The ransomware attack was discovered on May 16, 2016 and affected AAIR’s Glenwood Springs medical office. Staff at the office were unable to access files on computers and IT staff were alerted to a potential cyberattack. The IT department immediately shut down the company’s servers to prevent data exfiltration and to contain the infection. A third party cybersecurity firm was called in to conduct a forensic analysis of the allergy clinic’s network.

According to a statement issued by AAIR’s attorney, Kari Hershey, “They weren’t able to track exactly what the hackers did, but what they did find was a draft of the ransom letter on the system.”

It is unclear exactly which strain of ransomware was involved, but it would appear that the ransomware infection was not Locky or CryptXXX – two mature ransomware strains that have been used to attack other healthcare organizations this year.

The ransomware was “in its early stages” according to Hershey, and appeared to be a relatively new form that was still being tested by the attackers. Hershey confirmed that the cybersecurity firm did not uncover any evidence to suggest that the attackers had viewed or copied any ePHI. At this stage in the forensic analysis the cybersecurity firm would have expected to have discovered any evidence of data exfiltration if it had occurred.

It is also not clear exactly how the ransomware was installed. Hershey said that the infection appeared to “pass through a password protected firewall.” The infection may have occurred via a drive-by download after an employee visited or was directed to a malicious website. Ransomware infections via email are also common. The cybersecurity firm is still conducting an investigation of all of AAIR’s systems.

The attack appears to have been conducted by Russian cybercriminals. The ransomware was discovered to have communicated with a command and control center in Russia.

Even though data theft is believed to be unlikely, AAIR it taking additional precautions to ensure that patients are protected. Hershey said, “Just out of an abundance of caution, we do want people to sign up for an identity theft protection program. That way if they do have a problem they can get help.” Patients have been offered ID Experts’ identity theft protection services for a year without charge.

Ransomware Attacks and HIPAA

A number of healthcare organizations have been hit with ransomware infections this year. In each case, ransomware encrypted sensitive data and caused widespread disruption but the incidents were not reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as data breaches.

There has been considerable debate in recent months over whether ransomware infections are reportable as data breaches under the Health Insurance Portability and Accountability Act (HIPAA).

Some IT experts argue that when a ransomware infection occurs and ePHI is encrypted, the attackers potentially have access to patient data. Others say that ransomware only encrypts data. Attackers may have the only keys to decrypt data, but they do not actually view or copy data from healthcare networks.

AAIR took the decision to alert the OCR and submitted a breach report because patient data were potentially compromised. HIPAA.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.