Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for November, 2018 is… a rare success story: the quick recovery from a ransomware attack at Jones Eye Clinic.
Jones Eye Clinic is an Iowa-based medical clinic with an affiliated surgery center. They recently announced that they had experienced a ransomware attack against a computer network used for billing and scheduling. Systems containing electronic medical records were not impacted. Ransomware attacks against healthcare providers are unfortunately nothing new, but what makes this one notable is how smoothly the clinic responded.
The clinic recovered from the attack and was up and running within a day of discovering the ransomware—without paying the ransom. They were able to restore the encrypted data using backups. The attackers may potentially have accessed the personal health information of up to 40,000 people, but it is unlikely to be the case, given the usual goals of ransomware attacks. As the clinic noted in their announcement, this type of attack is most often an attempt to profit from the ransom, rather than by exfiltrating data. Nevertheless, the clinic has notified the people that have been affected.
The information that was encrypted by the attackers included patient names, addresses, dates of birth, and descriptions of appointments. Some people’s social security numbers and insurance numbers were also included. No financial data was compromised.
How Did it Happen?
The clinic’s announcement did not provide much detail about how the ransomware attack occurred, saying only that the virus had been loaded onto the system the evening prior to it being discovered. Ransomware generally enters an organization’s systems via social engineering, such as a phishing email with a malicious attachment. Some more advanced strains of ransomware can gain access without any user actions, such as WannaCry, which was famously able to move between computers independently.
How to Minimize the Risk of this Type of Breach
Because Jones Eye Clinic appears to have responded to the attack quite well, we can look at what they did or may have done, as a blueprint for limiting the impact of a ransomware incident. Most importantly, we know the clinic kept a comprehensive set of regularly updated backups, from which they were able to restore the encrypted data. This was critical to maintaining operations and avoiding the cost of paying the ransom.
From the clinic’s announcement, we also know of some other commendable steps they took. When the attack was discovered, they immediately began an investigation with the support of a digital forensics investigator. They also engaged other IT companies to help them restore the systems and make improvements to prevent future attacks.
As has become the norm in data breaches, the clinic is offering one year of free credit monitoring services to those who may have been affected. They have also provided additional resources, such as a toll-free hotline to answer any questions, and attached additional information to their announcement, including instructions on how patients can place a fraud alert on their credit file, get a free credit report, or request a security freeze on their credit file. This level of care and transparency is notable, given that it is unlikely that anyone’s personal information was stolen.
Not all ransomware attacks can be recovered from this easily, but hopefully as healthcare organizations become more aware of the risks of ransomware, they’ll prepare for this type of effective response.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.