Marin Medical Practice Concepts Pays Ransom for Decryption Keys

Marin Medical Practices Concepts (MMPC), a Novato, CA-based provider of EMR and medical billing services, has announced that its systems were recently taken out of action by ransomware.

Cybercriminals succeeded in installing ransomware on its network on July 27, 2016. While patient data were not encrypted, physicians were prevented from accessing patient data as the EMR system was shut down while the ransomware attack was resolved. Physicians were unable to access patients’ electronic medical records for over a week.

The decision was taken to pay the ransom demand for decryption keys in order to regain access to the encrypted files. The amount paid for the decryption keys, the denomination of the ransom payment, and the number of computers that were infected will not be disclosed for security reasons.

Decryption keys were provided by the attackers once the ransom was paid and all encrypted data is in the process of being recovered. Most of the organization’s systems have now been brought back online.

MMPC brought in an external security firm to investigate as soon as the ransomware attack was discovered. The security firm conducted a full forensic analysis of Marin Medical’s computer system to determine the extent of the attack and ascertained that patient data were not accessed or copied by the attackers. All systems and access points have now been secured and a plan is being put into place to prevent any future ransomware attacks from occurring.

Marin Medical Practices Concepts is one of a number of healthcare organizations to be attacked with ransomware in 2016. In February, Hollywood Presbyterian Medical Center had multiple computers infected with ransomware. A ransom demand of $17,000 was paid to obtain keys to unlock the encrypted files.

This year, ransomware attacks have also affected two Prime Healthcare Inc., hospitals: Chino Valley Medical Center (Chino, CA) and Desert Valley Hospital (Victorville, CA), Ambulatory Surgery Center at St. Mary (Langhorne, PA), Allergy, Asthma & Immunology of the Rockies, (Glenwood Springs, CO), Methodist Hospital (Henderson, KY), MedStar Health (Columbia, MD), Kansas Heart Hospital (Wichita, KS), and the Los Angeles County Department of Health Services.

The FBI advises against paying ransom demands, although if a viable data backup does not exist, healthcare organizations have little choice but to pay for decryption keys. However, those keys do not always work and as we have already seen this year, cybercriminals may try to extort more money after a ransom demand is paid.

It is therefore essential for healthcare organizations to regularly perform backups of critical data and for those backups to be tested to make sure data can be restored. All backups devices should be air-gapped to ensure that in the event of an attack, backup files are not also encrypted.

The spate of ransomware attacks has prompted the OCR to issue guidance on how to protect against ransomware attacks. OCR has also recently clarified how HIPAA applies to ransomware infections.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.