Share this article on:
Rochester, MN-based Associates in Psychiatry and Psychology (APP) has experienced a ransomware attack that affected several computers containing patients’ protected health information.
The ransomware attack was discovered on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no evidence was uncovered to suggest any protected health information was accessed or copied by the attackers.
Since it was not possible to rule out data access with 100% certainty, all patients whose data were stored on the affected devices have been notified of the security breach. The types of information potentially accessed includes names, birth dates, addresses, Social Security numbers, insurance information, and treatment records.
APP acted promptly when the attack was discovered and took its systems offline to prevent the spread of the ransomware and limit the potential for further encryption of data and data theft. APP’s systems remained offline for four days while the attack was assessed.
APP notes in its Q&A about the incident that the attack is believed to have commenced between the evening of Friday, March 30 and the morning of Saturday, March 31. The type of ransomware used in the attack was “Triple-M.” APP explained that this variant of ransomware uses the RSA-2048 encryption protocol and extremely long keys to encrypt data. The system restore function was also disabled and the attackers reformatted the network storage device that was used to store backups.
APP’s IT Director, Steve Patton, confirmed to databreaches.net that the ransom was paid as it was not possible to restore files from backups due to the actions taken by the attackers. Initially, a ransom demand of 4 Bitcoin was issued – Around $30,000 – although the practice managed to negotiate with the attackers and paid 0.5 BTC (approx. $3,758) for the keys to recover the encrypted data.
All systems and data have now been restored, additional layers of security and encryption have been implemented, and APP’s remote access policies have been updated.
According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 6,546 patients were potentially impacted. APP notes that there was clear evidence that protected health information was not viewed by the attackers; however, as a precautionary measure, APP has suggested affected individuals monitor their credit reports for any sign of fraudulent use of their information.