Minnesota ransomware attack shows the right way to handle breach response
Minnesota-based Associates in Psychiatry and Psychology is notifying 6,546 of its patients that their data may have been breached after a ransomware attack hit the provider in March.
Hackers breached APP's servers somewhere between the evening of March 30 and the morning of March 31. Officials said the all of the data files on its main servers were locked down with a RSA2048 encryption protocol, and the hackers disabled the system restore function on all impacted computers.
Not only that, but the virus reformatted the network storage device where local backups were contained. Hackers left a ransom note and used "Triple-M" crypto-ransomware, with the sole objective of getting victims to pay a ransom.
After discovery, the servers were taken offline for four days to assess the situation and restore computers to the previous state. Officials said they continued to scan for viruses, updated security and contacted the FBI directly afterward.
Officials said they found no evidence the hackers viewed or copied data, as neither the practice management nor electronic health record systems were used during the breach. Those are the only tools able to easily browse or copy that data.
The infected server contained demographic information, insurance claim processing data, medical details. Credit card information was stored in a separate cloud-based bucket and wasn't part of the breach. Officials said they don't maintain other financial information on its system.
APP is required to keep patient records for seven years after the last patient visit, but patients can view the data they have on the patient through its patient portal.
While the incident itself isn't unique to the healthcare sector – the hackers used standard ransomware and less than 10,000 patients were affected – what's notable is the amount of detail given to affected patients about the nature of the breach.
Breaches are have become commonplace in healthcare, of course, but often organizations regurgitate structured responses and are vague on the details – leaving victims and the public in the dark. APP's transparency allows the patient to determine how worried they should be about the security incident and understand how they managed both the data and breach response.
Organizations should take note: APP's response was the optimal way to manage the fallout from an unwelcome but now all too common occurrence. It outlined the reason for the a lack of immediate notification, explained where patients could go to see what data was kept on APP's server, detailed attack specifics and even showed how they concluded the likelihood of hackers having access to the data.
Healthcare Security Forum
The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.