Ransomware Attack Reported by East Valley Community Health Center

West Covina, CA-based East Valley Community Health Center (EVCHC) has started notifying patients that some of their electronic protected health information was compromised when ransomware was installed on one of its servers.

The ransomware attack occurred on October 18, 2016 and involved a ransomware variant called Troldesh/Shade. As with other forms of ransomware, Troldesh conducts scans of its local environment and encrypts a wide range of file types with an asymmetric encryption algorithm, preventing the files from being accessed.

Troldesh is supplied by the ransomware author as a development kit, which allows affiliates to run their own ransomware campaigns. The ransomware is usually distributed via spam email campaigns via file attachments containing malicious JavaScript code. However, in this case, an unauthorized individual logged onto a EVCHC server and installed the ransomware.

Many different files were encrypted, one of which contained the electronic health information of EVCHC patients. The file was used by EVCHC for logging claims that had been submitted to health plans. The file contained names, addresses, birthdates, medical record numbers, insurance account numbers, and health diagnosis codes. No financial information, Social Security numbers, nor Driver’s license numbers were present in any of the encrypted files.

Ransomware is typically used to extract a ransom payment from the victim, not to gain access to sensitive information. However, it is possible that the attacker was able to view the ePHI contained in the file. No evidence of file access or exfiltration was discovered by EVCHC.

The ransomware attack has now been reported to the Department of Health and Human Services’ Office for Civil Rights and the California Attorney General’s office. The OCR breach report indicates 65,000 individuals have been impacted.

Steps have been taken to reduce the likelihood of future ransomware attacks, including the implementation of additional technical controls and the transfer of patient’ protected health information to a third party off-site server maintained by a health information technology company. EVCHC will also be conducting a full review of privacy practices and updates will be made, as appropriate, to maintain the highest level of privacy for patients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.