The New Jersey Spine Center has reported it has suffered a ransomware attack that resulted not only in the electronic health records of patients being encrypted, but also its backup files. The infection also disabled the spine center’s phone system.
The ransomware was installed on July 27, 2016, and while the organization’s antivirus software did detect the malicious software, it was only after files had been encrypted. Without access to the latest backup files, New Jersey Spine Center was given little alternative but to pay the attacker’s ransom demand. New Jersey Spine Center has not disclosed how much was paid to the attackers. According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 28,000 patients were impacted by the breach.
After payment of the ransom the attackers supplied a functional key to decrypt the locked files. Access to their EHRs was regained on August 1. New Jersey Spine Center does not believe the attackers viewed or stole any data in the attack. However, since it was not possible to rule out data access, affected patients have been offered a year of complimentary credit monitoring and identity theft protection services.
The data encrypted in the attack included all clinical information and medical data stored in the EHR system as well as demographic data, Social Security numbers, credit card numbers, and account information. According to the breach notification letter sent to patients, “The virus likely utilized a list of stolen passwords and ran an automated program that attempted access until a correct match was found.”
The ransomware variant used in the attack was CryptoWall, which was first discovered back in June 2014. CryptoWall encrypts files using a strong 2048-bit RSA key. Unfortunately, no decryptor is available for the latest variant of the ransomware.
CryptoWall is primarily spread via spam email. Malicious files are attached to emails which appear as invoices, fax reports, or undelivered package notifications. Opening the email attachment will result in computers being infected. CryptoWall is also known to be spread via malvertising and websites hosting exploit kits.
The ransomware attack highlights the importance not only of regularly backing up files, but also disconnecting backup drives once backups have been performed.