Mind & Motion Developmental Centers have revealed that they have been the victims of a ransomware attack on their servers.
Mind & Motion Developmental Centers, a multidisciplinary treatment facility in Georgia, have announced that hackers successfully installed a variant of malware known as ransomware on their servers. It is possible that the protected health information (PHI) of up to 16,000 patients was compromised during the ransomware campaign.
Ransomware is malware variant which denies the user access to their device, or certain files on the device, until a ransom has been paid to the scammer. Ransomware attacks are becoming increasingly common, particularly against organisations in the healthcare industry due to the high black-market of healthcare data. The malware is even available on the dark web. If a campaign were successful, it would prove a lucrative endeavour for the hacker with very little effort on their part. The malware is often delivered through targeted phishing attacks.
The ransomware attack on Mind & Motion was discovered on September 30, 2018. A third-party IT support organisation, TeamLogic IT, was contracted to help recover the data that had been hijacked by the threat actor. In the aftermath of the breach, TeamLogic IT was retained to assist with an investigation into the data security incident.
Investigators determined that the ransomware was downloaded and executed on a server housing Mind & Motion medical records. The data that may have been compromised in the breach included names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance information, and Social Security numbers. Investigators could not determine for certain whether medical information was affected in the attack, but it remains a possibility.
In addition to the ransomware, the investigation found the hacker also installed an inactive keylogger, spam emailer, and “other minor malware.” Officials said no other threats were “readily visible.” All malicious software was removed.
TeamLogic IT did not uncover evidence to suggest any of the installed malware had affected the organisation’s other platforms, such as its patient financial information or its scheduling and electronic billing systems. There have been no reports that any of the PHI has been used for malicious purposes, or that anybody affected by the breach has been a victim of identity fraud. The sole aim of the attacker appears to be to extort money from Mind & Motion. However, as those affected by data breaches such as this one are more likely to be the victim of fraud, affected patients are advised to be especially vigilant of suspicious activity on their accounts in the coming months.
Officials at Mind & Motion have stated that the organisation has taken measures to mitigate the chances of such an attack happening in the future. In consultation with TeamLogic IT, they have devised a series of new procedures to create a more robust security framework. These steps include reseting all passwords and implementing controls to ensure complex passwords are set on all accounts in the future. A policy has also been introduced to force users to change passwords more frequently. Computers and servers have professional anti-malware solutions installed and scans for malicious software will be performed regularly so that an attack can be spotted as soon as possible. Encryption has been added to all its computers and the latest anti-spam technology has been deployed to protect against phishing attacks.
Once the immediate threat of the ransomware attack was over, Mind & Motion hired a compliance consulting firm to make sure that all requirements of HIPAA were satisfied. The consulting firm will be administering further HIPAA compliance training to all staff. Mind & Motion have since committed to providing their employees with further HIPAA training within the next month to refresh their knowledge of the legislation and their responsibilities under it.
In accordance with HIPAA’s Breach Notification Rule, a breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights on November 30, 2018. All patients affected by the breach have had breach notification letters sent to them. The OCR breach report indicates up to 16,000 patient records were potentially compromised.