In a recent announcement, Decatur County General Hospital in Tennessee revealed that it has been the victim of a cyberattack on their systems. Malware was discovered on a server housing its electronic medical record system. An investigation into the attack estimates that attacker potentially gained access to the medical records of up to 24,000 patients.
In November 2017, the hospital’s medical record system vendor discovered the unauthorised software installation on the server. The vendor, who is ultimately responsible for maintaining the server on which the system is installed, was performing a routine check on the system. Despite the regular checks, it is estimated that the malware is believed to have been installed on or before September 22, 2017. An investigation revealed the software was a form of malware known as a cryptocurrency miner.
Crytptocurrency mining is the use of computer processors to verify cryptocurrency transactions and add them to the public ledger containing details of all transactions since the currency was created. The process of verifying transactions requires computers to solve complex computational problems. Cryptocurrency mining can be performed by anyone with a computer, and in return for solving those computational problems, the miner is rewarded with a small payment for verifying the transaction.
A single computer can be used to earn a few dollars a day performing cryptocurrency mining. The more computers that a miner has access to, the higher the profits achieved. An army of cryptocurrency mining computers, such as those infected with cryptocurrency mining malware, can generate substantial earnings. According to some cybersecurity companies, the number of reports of cryptocurrency malware attacks and infections has drastically increased in recent times.
Since cryptocurrency mining requires a considerable amount of processing power, computers infected with the malware may slow considerably, although it may not always be apparent that infection has occurred. In the case of Decatur County General Hospital, the malware infection was not identified by its EMR vendor for more than two months.
Cryptocurrency mining malware is typically not used in conjunction with data theft. However, in this instance, the attacker is believed to have gained access to the server in order to install the malware. It is possible that the hacker could access confidential protected health information (PHI) and compromise its integrity.
Decatur County General Hospital conducted an in-depth investigation into the server breach and malware infection, and while no evidence of data access or data theft was uncovered, it was not possible to reasonably verify that data access had not occurred. Therefore, the decision was made to issue notifications to patients that protected health information had potentially been compromised, in compliance with HIPAA’s Breach Notification Rule.
Much sensitive nature of data stored on the server, including names, addresses, birth dates, Social Security numbers, diagnoses, treatment information, and insurance billing information. Therefore, all patients impacted by the incident have been offered credit monitoring services for 12 months through True Identity without charge.
No evidence of misuse of patient information has been reported to date and the hospital believes the sole purpose of the attacker was to install the malware. However, patients have been advised to exercise caution and monitor their accounts, credit, and EoB statements for any sign of fraudulent activity and to be wary of any communications received via the telephone, mail, or email about the incident.