Ransom-Demanding Gangs Target Fresh Victims: PatientsCould Attack on Florida Clinic Be Start of Disturbing Trend?
Could ransomware shakedowns against healthcare entities be taking an even uglier turn? In a recent attack on a Florida-based plastic surgery practice, hackers exfiltrated patients' medical records and then demanded a ransom be paid by the clinic and some of its patients to avoid further exposure of the data.
In a recent "patient advisory," Dr. Richard Davis, who runs The Center for Facial Restoration located in Miramar, Florida, says the practice, which specializes in rhinoplasty and other facial plastic surgery, was a victim of a "criminal cyberattack" in November.
"On Nov. 8, 2019, I received an anonymous communication from cybercriminals stating that my 'clinic's server (was) breached.' The hackers claimed to have 'the complete patient's data' for TCFFR that 'can be publicly exposed or traded to third parties," the statement notes.
"The attackers demanded a ransom negotiation, and as of Nov. 29, 2019, about 15-20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met."
Alarming New Turn
"The fact that cybercriminals are now moving off the dark web to sell their illegal data, and directly extorting potential individual victim patients, is definitely a new trend that is both disturbing and dangerous," says former FBI special agent and forensics expert Jason G. Weiss, a cybersecurity attorney at the law firm Drinker Biddle & Reath LLP.
"This opens up a whole new front in the cyber warfare battlefront, and companies are going to have to treat cybersecurity as one of their highest priorities in order to keep patient data safe from cybercriminals."
Davis' statement says that on Nov. 12, 2019, he filed a formal complaint with the FBI Cyber Crimes Center and two days later met with the FBI, when the bureau recorded detailed information regarding the cyberattack and ransom demands. The investigation is ongoing, the statement notes.
The FBI has instructed patients receiving ransom demands to file independent cybercrime complaints online with the bureau, the statement notes.
"For my part, I have installed new hard drives, firewalls, and viral/malware detection software in hopes of reducing exposure to future cyberattacks, but no system is foolproof, and even the U.S. government with all its resources has been victimized repeatedly," Davis says.
"While upgrading my defenses clearly won't help those individuals whose data has already been stolen, there is reason to suspect that the theft of patient photographs may be limited to only a very small number of individuals - mostly those patients who used email to send or receive their photographs - so the upgrades may prove useful," Davis notes.
"However, personally identifiable information may have been stolen for up to 3,500 former or current patients of TCFFR. Because we store PII as the scan of the patient's intake demographic questionnaire, and not in an electronic demographic database, obtaining contact information in order to individually notify all 3,500 patients has been painstakingly slow and labor intensive, and access to the data has been hindered by ongoing IT service disruptions.
"A photocopy of your driver's license (or passport for foreign nationals), home address, email address, telephone number, and insurance policy numbers (when applicable) were routinely kept on file for most patients, as well as credit card payment receipts, which typically reveal only the last 4 digits. ... I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act."
The Center for Facial Restoration reported the incident to the Department of Health and Human Services on Dec. 26, 2019, as a health data breach involving a network server and affecting 3,600 individuals, according to HHS Office for Civil Rights' HIPAA Breach Reporting Tool website. Also commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.
"If you can't trust the safety and security of your medical or personal data records, this will have a devastating effect on the healthcare industry as a whole."
—Jason G. Weiss, Drinker Biddle & Reath LLP
The clinic did not immediately respond to an Information Security Media Group request for additional information about the incident, including whether the attack involved both an exfiltration of data and a ransomware attack that locked up the clinic's systems, and whether the clinic paid a ransom.
Some experts note that more ransomware gangs are now exfiltrating data from victims before leaving systems crypto-locked (see Alarming Trend: More Ransomware Gangs Exfiltrating Data).
For instance, in late October 2019, the Maze ransomware gang dumped almost 700 MB of data that it had stolen from Allied Universal, a California-based security services firm. And in December 2019, Maze created a dedicated website listing victims that had yet to pay, to which it began posting excerpts of stolen data (see: Maze Ransomware Gang Dumps Purported Victim List).
So far, the attack on plastic surgery clinic involving extortion attempts on patients appears to be an anomaly in the healthcare sector - but for how long?
"We are not aware of any other healthcare organizations being targeted and specific patient data being exfiltrated, then publicized," says Clyde Hewitt, executive adviser at security consulting firm CynergisTek. "Given the trend and the publicity surrounding the Maze ransomware gang's other conquests, we are not surprised as this escalation into healthcare."
If the attack on the plastic surgery clinic is the beginning of new blackmail schemes targeting patients, the consequences could be far reaching, including potentially impacting patient care.
"What is most alarming about this trend is the affect it will have on people sharing their medical or personal data with almost any type of provider due to the fear of the data's potential loss or sale to the wrong people," Weiss says. "Patients have to feel safe and secure knowing their electronic health records are not going to be sold on the dark web or that these patients will be directly extorted. If you can't trust the safety and security of your medical or personal data records, this will have a devastating effect on the healthcare industry as a whole."
Hewitt offers a similar assessment: "Patient data, unlike financial data, can't be reset with new account numbers - like banking - so patients may experience serious emotional harm or be physically harmed if they are misdiagnosed or mistreated depending on how the data is used or misused."
The shift in cybercriminals' tactics to demand a ransom for exfiltrated data is in response to organizations not paying the ransom in ransomware attacks and instead relying on backups to restore their systems, Hewitt notes.
"By exfiltrating data prior to encryption, the attackers are clearly trying to raise the stakes and change the risk equation for paying the ransom," he says.
"Patients whose data is compromised will clearly put public pressure on their providers, potentially through litigation. Before, this was more challenging because it was difficult to prove a linkage between a breach, and an individual's harm. We can now assume this threshold has been crossed and patients whose data has been compromised will have a clear link back to the source. This could open up a new path to more litigation."
Hewitt says that patients who find themselves being extorted should never pay a ransom. "There is no way to unpublish something that is already being used by criminals. Paying would only invite other criminals to also demand extortion," Hewitt says.
"A patient's only remedy is to first lock their credit, then start monitoring their on-line activities and profile. It would also be advised to change all their user IDs on websites and passphrases, especially those that may be similar to the provider what was being hacked."
Weiss suggests that patients should ask their healthcare providers what they are doing to keep personal healthcare data safe from cyberattacks.
"It is no longer good enough to know if your doctor is competent, but you may want to know what steps your doctor's medical practice is taking to keep your records safe," he says. "For example, does the medical practice encrypt patient data while it is at 'rest' or in 'transit' to ensure that even if the data is stolen, the cybercriminal will not be able to use it as a means of extorting the patient individually or selling the information on the dark web?"