Share this article on:
Jacksonville, FL-based FABEN Obstetrics and Gynecology has experienced a ransomware attack on a server that housed patients’ protected health information (PHI).
The ransomware was detected on November 21, 2018 and resulted in widespread file encryption. An investigation was launched to determine the extent of the attack and whether any patients’ PHI was accessed or stolen by the attackers.
An analysis of the files on the server confirmed that files containing patients’ PHI had been encrypted. FABEN determined that the attackers had not accessed the files and that no data had been exfiltrated from the server.
The ransomware variant used in the attack was GandCrab. While free decryptors have been made available for some GandCrab ransomware variants, they do not work on the latest versions of the ransomware. A ransom demand was received by FABEN although the decision was taken not to pay the attackers for the key to decrypt the files.
The files that had been encrypted were created between January 2007 and April 10, 2017, and included clinical electronic medical records containing names, diagnosis information, treatment information, and other information related to medical services provided to patients, including visit dates, labor and delivery information.
FABEN reports that it was only possible to restore files that had been created between 2007 and April 2014. There was a problem recovering records from between September 11, 2014 and April 10, 2017. Those files have been permanently lost.
They included information such as names, blood sugar logs, blood pressure logs, medical records provided to FABEN by patients in paper form during the above time period, and documentation related to the Family and Medical Leave Act.
“Since the infected files were encrypted but not exfiltrated, there is no increased risk of identity theft, nor is there an increased risk that a third party may view your protected health information at this time as a result of the ransomware attack,” wrote FABEN in substitute breach notice uploaded to the FABEN website. Only the 6,092 patients whose information was unrecoverable are receiving breach notification letters.
The ransomware attack has been reported to law enforcement and the HHS’ Office for Civil Rights. The investigation into the attack is ongoing. FABEN is attempting to determine exactly how the ransomware was installed, the source of the attack, and its ultimate extent.
Private security consultants have been hired to assess security and additional security procedures have already been implemented. FABEN is also using additional backup servers to prevent further data loss, should another attack occur in the future.