Over 6,500 Patients Possibly Impacted by Minnesota Ransomware Attack

May 27, 2018


Rochester, MN-based Associates in Psychiatry and Psychology (APP) has suffered a ransomware attack that affected numerous computers containing patients’ PHI.

The ransomware attack was found on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no proof was found to indicate any PHI was copied or accessed by the attackers.

As it was not possible to exclude data access with 100% confidence, all patients whose data were stored on the affected appliances have been alerted to the security breach. The types of information possibly accessed includes names, insurance information, Social Security numbers, addresses, birth dates, and treatment records.

APP acted swiftly when the attack was found and took its systems offline to avoid the proliferation of the ransomware and restrict the possibility for further encryption of data as well as data theft. APP’s systems remained offline for 4 days while the attack was evaluated.

APP notices in its Q&A concerning the case that the attack is thought to have started between the evening of Friday, March 30 and the morning of Saturday, March 31. The kind of ransomware used in the attack was “Triple-M.” APP described that this type of ransomware utilizes the RSA-2048 encryption protocol and very long keys to encrypt data. The system reestablish function was also deactivated and the attackers reformatted the network storage appliance that was utilized to store backups.

Steve Patton, APP’s IT Director, verified to databreaches.net that the ransom was paid because it was not possible to bring back files from backups because of the actions taken by the attackers. Originally, a ransom demand of 4 Bitcoin was issued – About $30,000 – even though the practice managed to deal with the attackers and paid 0.5 BTC (approximately $3,758) for the keys to recover the encrypted data.

All systems and data have now been re-established, extra layers of encryption and security have been applied, and APP’s remote access policies have been upgraded.

As per the breach report presented to the Department of Health and Human Services’ OCR, 6,546 patients were possibly impacted. APP notices that there was clear indication that PHI was not seen by the attackers; nevertheless, as a protective step, APP has proposed affected people check their credit reports for any indication of fake use of their information.