The University of Virginia Health System has notified nearly 2,000 patents that a hacker has used malware to gain access to their protected health information (PHI). The hacker has been linked to thousands of other breaches and is under investigation by the FBI.
The malware infected several devices used by a physician at UVa Medical Center. When the physician accessed the medical records on his devices, the malware allowed the hacker to view the data in real time on his own computer. Cybersecurity investigators discovered that the malware first infected the devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.
A UVa spokesperson announced that the hacker had seen the names, addresses, dates of birth, diagnoses, and treatment information of the affected patients. However, financial information and Social Security numbers remained secure as the physician himself could not access this data.
Access to the protected health information of its patients stopped in late 2016, although UVa were not made aware of the breach for almost a year. They themselves didn’t even discover that the information had been compromised; UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail shortly after the discovery, in line with HIPAA’s Breach Notification Rules. UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.
The hacker had accessed many other systems, which prompted the FBI’s investigation that results in the UVa breach being discovered. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing in their investigations. In the meantime, the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.
The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. According to the FBI, Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to any infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.
Durachinsky targeted a wide range of organisations, including schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over the 13 years for which he was active, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.
Durachinsky used the malware to view highly sensitive information, such as healthcare records, financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.
The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.