Hacker Behind FruitFly Malware on University of Virginia Health System

by | Mar 1, 2018

Around 1,900 people who were treated by the University of Virginia Health System are being contacted to be made aware that a hacker has gained access to their medical information using a malware infection.

The malware in question had been loaded onto the devices in use by a physician at UVa Medical Center. When medical histories were accessed by the physician, the malware permitted the hacker to see the data in real time. The malware software was first loaded onto the physician’s devices on May 3, 2015, with access open until December 27, 2016. Throughout those 19 months, the hacker was able to see the medical histories of 1,882 people.

The types of data seen by the hacker incorporated names, addresses, dates of birth, diagnoses, and treatment details, according to a UVa spokesperson. Financial data and Social Security numbers were not accessed as the physician did not have permissions to view them.

Access to the protected health information of its patients ended towards the latter part of  2016, although UVa did not identify the breach for almost a year. UVa was made aware of the security breach by the FBI on December 23, 2017, after an extensive investigation into the hacker’s operations. Patients affected by the breach were notified this month.

UVa has since put in place a number of extra security controls to prevent further incidents of this nature from happening.

Thousands of Victims’ Sensitive Information Accessed

The hacker has been named as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky supposedly developed a Mac malware called FruitFly more than 13 years ago and employed the malware to spy on thousands of people and companies. The malware supplied Durachinsky with full access to an infected computer, including access to the webcam. The malware captured screenshots, allowed the uploading and downloading of files, and could record keystrokes. Durachinsky also developed the malware to allow him a live feed from multiple infected computers at the same time. UVa is just one victim of this hacker. Other businesses were also impacted and had information accessed, although the extent of the hacker’s activities have not fully been ascertained. The FBI investigation is ongoing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including breaches of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and child pornography.

Organizations affected include schools, businesses, healthcare groups, a police department, and local, state and federal government officials. Over 13 years, Durachinsky spied on thousands of people, mainly using the Mac form of the malware, although a Windows-based variant was also utilized.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy