Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected

Three ransomware attacks have been reported by healthcare organizations and vendors in the past few days. The PHI of almost 70,000 patients has potentially been compromised in the attacks.

50,000 Individuals Affected by Ransomware Attack on Delaware Guidance Services for Children and Youth

Delaware Guidance Services for Children and Youth (DGS) was forced to pay a ransom to recover files that had been encrypted in a Christmas Day ransomware attack. DGS has not publicly disclosed how much was paid for the decryption keys to unlock the files on its data servers.

After recovering files, DGS engaged an IT firm to conduct a forensic analysis to determine whether the attackers had gained access to sensitive information prior to encrypting files. The firm found no evidence to suggest that any protected health information had been compromised or stolen. The attack appeared to have been conducted solely for the purpose of extorting money from DGS.

DGS started sending notification letters to the parents and guardians on February 26, 2019 alerting them that sensitive information had been exposed. The types of data in the files that were encrypted by the ransomware included names, addresses, birth dates, medical information, and Social Security numbers.

All affected individuals have been offered 12 months of complimentary credit monitoring services through MyIDCare.

The ransomware attack was reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach summary indicates the PHI of up to 50,000 individuals was potentially compromised in the attack.

Maffi Clinics Ransomware Attack Impacts 10,465 Patients

Maffi Clinics, a network of 5 plastic surgery and skin care clinics in Arizona, is alerting 10,465 patients that some of their protected health information was potentially compromised as a result of a September 11, 2018 ransomware attack.

The attack was promptly detected and remediated, limiting the potential for unauthorized data access. In its breach notification letter to patients, Maffi Clinics explained that the unauthorized access point was quickly detected and terminated, and systems were shut down to limit the harm caused. Access to Maffi Clinics’ systems was possible for just 5 hours.

An independent IT consulting firm was able to remove the ransomware and recover files from backups without data loss. No evidence was uncovered to suggest that the attackers had viewed or downloaded any patient information. Maffi Clinics also said no ransom demand was received.

While unauthorized PHI access is not suspected, if the attackers did access or download files, they would only have been able to view names, addresses, phone numbers, and pre-and post-operative records.

Maffi Clinics has taken steps to improve security and additional safeguards have now been implemented to prevent further ransomware and malware attacks. OCR was notified about the attack on March 6, 2019.

Direct Scripts Ransomware Attack Impacts 9,319 Individuals

Direct Scripts, an Ohio provider of pharmacy benefits management services, suffered a ransomware attack on January 30, 2019 which resulted in the encryption of files containing patients’ protected health information.

The affected server was found to contain customer names, addresses and prescription information. All other information stored by Direct Scripts was located on servers and computers that were not accessible to the attackers. No evidence has been uncovered to suggest any patient information has been misused.

Direct Scripts has sent notification letters to affected individuals and the incident has been reported to OCR. The OCR breach report indicates 9,319 individuals were potentially affected by the attack.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.