Two more ransomware attacks have been reported in the healthcare industry. In both cases, the healthcare organizations paid the ransom.
Marin Healthcare District
The first attack occurred on July 26 at Marin Healthcare District in Greenbrae, California through its medical billing and EMR services vendor, Marin Medical Practices Concepts (MMPC). The attack was reported on September 28 when 5,000 patients were notified that some of their medical data was lost during the attack. According to reports, Marin providers were unable to access patient data for over a week after the attack. Marin’s computer systems are back online but two weeks of backup data was lost.
In the post-attack forensic analysis, there was no evidence that patient data, including financial and health information, was accessed. However, due to a failure in MMCP’s system while restoring backups, the patient data collected at all nine Marin medical centers between July 11 – 26 was lost. The results of diagnostic test results were not lost so patient do not need to be re-tested.
It has been reported that the ransom was paid but the amount has not been disclosed.
New Jersey Spine Center
New Jersey Spine Center was attacked by Cryptowall ransomware on July 27. The ransomware encrypted the center’s EMR, backup files, and phone system. While an anti-virus solution was in place, it detected the virus only after the ransomware had been installed.
It has been reported that hackers likely gained access to the system after using an automated program to run a list of stolen passwords. Because the center’s backup files were included in the attack, backups were inaccessible and no decryptor is currently available for this strain of ransomware. Due to these facts, the center had no choice but to pay the ransom of which the amount has not been disclosed.
According to HHS, 28,000 patients were affected by this breach. There is currently no evidence that patient data like social security numbers, credit card data, or medical history was stolen, however, the center cannot rule out unauthorized access. New Jersey Spine Center is offering patients one free year of credit monitoring.