Cyberattack Reported by The Center for Neurological and Spinal Disorders

A hacker has been discovered to have infiltrated the network of the Center for Neurological and Spinal Disorders (CNDS) in Los Angeles. The attacker succeeded in gaining access to the healthcare data of 1,134 patients.

The breach affects 823 patients of CNDS and a further 311 patients of another practice that is billed by CNDS. Names, phone numbers, addresses, Social Security numbers, billing information, and medical chart data were compromised as a result of the attack, although some patients only had their names compromised.

The breach was discovered on July 21, 2016, although the intruder gained access to a CNDS computer on July 7, 2016. The attacker succeeded in installing malware on the PC which took periodic screenshots and sent the images to a command and control center. The malware also recorded keystrokes entered on one of the Center’s computers.

Upon discovery of the intrusion, CNDS isolated the device and shut down access. Servers and systems were also taken offline while the breach was investigated. The internal investigation determined that screenshots were taken of 1,134 patients between July 7 and July 18. The hacker had initially gained access to an office manager’s computer and installed the malware.

CNDS reported the incident to the Federal Bureau of Investigation and the hard drive was taken away for forensic analysis. The FBI investigation revealed that the malware had been written in Cyrillic script language and that the attack appeared to have been performed from outside the United States.

After the hard drive was replaced and new software installed, CNDS brought in an external cybersecurity company to perform a full analysis of software and systems to ensure that all traces of the malware had been removed and no backdoors or other malware had been installed on the network. That investigation determined that all CNDS systems were clean. CNDS retained the services of the cybersecurity firm to provide ongoing advanced threat protection and to conduct continuous network security analyses.

CNDS has reported the incident to Experian, Equifax, and TransUnion and a breach notice has been sent to the Department of Health and Human Services’ Office for Civil Rights.

All affected individuals have now been notified of the breach by mail and have been offered 12 months of credit monitoring and identity theft protection services through Identity Force without charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.