Ransomware Attack Announced by Keck Medical Center of USC

Another Californian healthcare organization has been attacked with ransomware. Two computer servers operated by Keck Medical Center of USC were taken out of action on August 1 when ransomware was installed. No ransom was paid and all data could be recovered from backups, although restoring the files took a number of days.

Electronic health records were not encrypted in the attack, although some of the files on the servers did include PHI including patients’ names, dates of birth, demographic information, treatment information, medical diagnoses, and in some cases, Social Security numbers.

Patients impacted by the breach had visited the La Canada-Flintridge clinic between August 1, 2011 and August 1, 2016, participated in the Department of Family Medicine’s former residency program between 1999 and 2008, or had visited outpatient hospital clinics and had submitted a request for information between July 2015 and August 2016.

Patients are now being informed of the incident and are being offered credit monitoring and identity theft protection services, although the attack is not believed to have involved the theft of any patient health information. Most of the files encrypted by the ransomware were internal documents such as HR material, training documents, templates, and other files required for hospital operations.

According to the breach notice, swift action was taken upon discovery of the attack which limited the severity of the incident. All traces of the ransomware have now been removed from the servers, although the internal investigation into the attack is ongoing. The breach report issued to Office for Civil Rights indicates 16,000 individuals have been impacted.

The attack has prompted a review of data security and steps have already been taken to improve the speed of detection and response to incidents involving malware and ransomware. Additional software has also been installed to monitor for malicious network traffic and the use of encryption for all data at rest is now also being reviewed.

FBI Issues PSA Requesting Information on Ransomware Attacks

Earlier this month, the Federal Bureau of Investigation issued a public service announcement calling for ransomware victims to report incidents to the Internet Crime Complaint Center.

The FBI has requested that ransomware victims supply as much data as possible about an attack, including:

  1. Date of Infection
  2. Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  3. Victim Company Information (industry type, business size, etc.)
  4. How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  5. Requested Ransom Amount
  6. Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  7. Ransom Amount Paid (if any)
  8. Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  9. Victim Impact Statement

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.