More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and used ransomware to encrypt data, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 55,447 patients have been impacted.

The attack involved a variant of CrySiS ransomware called Dharma, which started encrypting data on February 6, 2017. Dharma ransomware is not known to exfiltrate data; however, an analysis of the attack revealed a number of suspicious user accounts on the servers, suggesting access had been gained prior to the ransomware being installed. User logs were also discovered that indicated programs or users may have been on the servers for a limited period of time prior to the ransomware being installed.

Fortunately, the encryption process was hampered by the anti-virus solution used by ABCD Pediatrics. ABCD Pediatrics, via its IT company, was able to isolate the affected servers and take them offline limiting the effectiveness of the attack. ABCD was not able to determine with a high degree of certainty that data were not viewed or stolen, although no evidence was uncovered to suggest data were accessed or exfiltrated.

The types of information potentially compromised included patients’ names, addresses, telephone numbers, demographic information, dates of birth, Social Security numbers, insurance billing information, medical records, procedural codes and lab test results. To protect patients from identity theft and fraud, ABCD Pediatrics has offered 12 months of credit monitoring and identity theft protection services to affected individuals via Equifax Personal Solutions.

Fortunately, ABCD Pediatrics was able to restore all encrypted and corrupted data from a backup that was securely stored on a different system. No data were lost as a result of the attack and no ransom was paid. ABCD Pediatrics reports that no ransom demand was actually received from the attackers.

The ransomware attack occurred in spite of a host of security defenses that had been deployed. Those defenses included “network filtering and security monitoring, intrusion detection systems, firewalls, antivirus software, and password protection.”

The forensic investigation identified the source of the attack and additional security solutions have now been deployed to prevent future attacks, including state-of-the-art network cyber monitoring.

The incident shows that even with advanced cybersecurity solutions in place, ransomware attacks remain a threat. While it may not be possible to prevent all ransomware attacks, risk can be reduced to an acceptable level with cybersecurity solutions and securely stored backups of data will ensure ransom demands will not have to be paid.

A good backup policy to adopt is the 3-2-1 approach. There should be three copies of data, two should be stored locally on two different mediums and one should be stored off site. The local media should be disconnected after a backup has been performed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.