Despite reports that the healthcare sector is seeing fewer ransomware attacks this year than years prior, that doesn’t mean they don’t still exist. Unfortunately, for Missouri-based Blue Springs Family Care, that lesson was learned the hard way after suffering a breach of 44,979 patient records resulting from a ransomware attack.
Cass-Regional Medical Center, also based in Missouri learned the same lesson when they discovered their communication system was struck by ransomware in July, leading to a lock-out of the organization’s EHR system.
In their statement, Blue Springs explains that the breach, which was discovered on May 12, 2018, had occurred when an unauthorized individual or individuals compromised the organization’s computer system, where they installed a “variety of malware programs,” including the program responsible for carrying out the ransomware attack.
According to the statement released by Blue Springs, the compromised data includes a wealth of information on their patients. The statement reads:
We have learned that your personal information, including your full name, home address, date of birth, Social Security number, account number, driver’s license number, medical diagnoses, and disability codes may have been compromised.”
Once the malware was installed on Blue Springs’ system, the hackers had free-range to access all the patient data within that system. The organization indicated that at the time of their statement, they had no knowledge of the compromised information being used by any unauthorized individuals.
In response to the incident, Blue Springs is taking corrective measures to prevent a similar attack from occurring in the future. They have implemented a new firewall and are transitioning EHR systems to one that provides encryption for all the data it stores.
These breaches show that hackers have not stopped deploying ransomware as a means of attack, and more importantly, that the healthcare industry is still a major target for cybercrime. Organizations should plan to protect themselves before an attack occurs, as well as ensure they are prepared to handle the recovery process following a successful attack.
It is critical that all healthcare organizations have the appropriate administrative, physical, and technical safeguards in place. Further, security awareness training is also crucial for all staff to learn how to recognize the risks associated with ePHI. Proper training will help employees learn about methods of attack and how to help protect their organization, as well as how to respond to a data breach if one is suspected.