February 2, 2019
Jacksonville, FL-based FABEN Obstetrics and Gynecology has experienced a ransomware attack on a server that contained patients’ protected health information (PHI).
The ransomware was noticed on November 21, 2018, and led to extensive file encryption. An inquiry was launched to decide the extent of the attack and whether any patient’s PHI was retrieved or stolen by the attackers.
An analysis of the files on the server verified that files containing patients’ PHI had been encrypted. FABEN concluded that the attackers had not accessed the files and that no data had been exfiltrated from the server.
The ransomware variation used in the attack was GandCrab. While free decryptors have been made available for some GandCrab ransomware variations, they don’t work on the latest varieties of the ransomware. A ransom demand was received by FABEN although the decision was taken not to pay the attackers for the key to decrypt the files.
The files that had been encrypted were created between January 2007 and April 10, 2017, and included clinical electronic medical records containing names, identification information, treatment information, and other information linked to medical facilities provided to patients, including visit dates, labor, and delivery information.
FABEN reports that it was only possible to repair files that had been created between 2007 and April 2014. There was a difficulty recovering records from between September 11, 2014, and April 10, 2017. Those files have been permanently lost.
They contained information such as names, blood sugar logs, blood pressure logs, medical records provided to FABEN by patients in paper form during the above time period, and documentation linked to the Family and Medical Leave Act.
“Since the infected files were encrypted but not exfiltrated, there is no additional risk of identity theft, nor is there an additional risk that a third party may see your protected health information at this time as a consequence of the ransomware attack,” wrote FABEN in alternate breach notice uploaded to the FABEN website. Just the 6,092 patients whose information was unrecoverable are receiving breach notification letters.
The ransomware attack has been informed to law enforcement and the HHS’ Office for Civil Rights. The inquiry into the attack is continuing. FABEN is trying to decide precisely how the ransomware was installed, the source of the attack, and its ultimate extent.
Private safety experts have been engaged to assess the safety and additional security processes have already been implemented. FABEN is also using additional backup servers to avoid further data loss, should another attack happen in the future.