In what is an extraordinary data breach, even by today’s standards, attackers encrypted thousands of patient records belonging to the Surgeons of Lake County, an Illinos based medical facility, and a US based medical practitioner and then demanded a ransom to unscramble the data.
The attackers compromised one of the medical centre’s servers, encrypted 7,067 patient records and a good number of emails, and then posted a ransom note for an undisclosed sum on the server.
The facility reported the incident to the police and the department of health, turned off the server and refused to pay. It is unclear whether the stolen data was recovered from backup, but the “data-nappers” are still at large.
What is however important is the modus operandi of the attackers.
Medical records have come up for extortion before. Express Scripts, the prescription-drug benefits manager received a threat in 2008, but the company notified its 700,000 customer base of the possible exposure of their personal information rather than paying up. In 2004, health care facilities that outsourced to India and Pakistan were held to ransom by the rogue employees of the outsourcing agency.
This is however the first instance when the attackers have carried out a breach and instead of stealing the data, encrypted it within its own servers, and then openly demanded ransom rather than trying and selling the data in the black market. This episode incidentally comes close on the heels of instances of ransomware where cyber attackers slip in malware that locked down the system and asked for payment to unlock.
Left unchecked, it may open up a worrisome new front in cyber attacks.
Organizations may retrieve such data from backups, but the question of compromising client confidentiality would still haunt them. In this case, the data which the attackers accessed and encrypted included names, addresses, social security numbers, credit cards numbers and medical records.