Minnesota Ransomware Attack Impacts Over 6,500 Patients

by | May 24, 2018

Associates in Psychiatry and Psychology (APP) a Rochester, Minnesota-based health organization has suffered a ransomware attack that targeted several computers that stored patients’ protected health data.

The ransomware attack was identified on March 31, 2018. Patient information held on the affected computers was not in a “human-readable” format, and no proof was found to suggest any protected health information was obtained or copied by the hackers.

Since data access could not be ruled out with 100% certainty, all patients whose data were stored on the targeted devices have been made aware of the security breach. The types of data potentially obtained includes names, birth dates, addresses, Social Security numbers, insurance details and treatment histories.

APP moved swiftly when the attack was noticed and took its systems offline to stop the spread of the ransomware and restrict the potential for further encryption of data and data theft. APP’s systems remained offline for another four days while the attack was reviewed.

APP stated that the attack is thought to have commenced between the evening of Friday, March 30 and the morning of Saturday, March 31. The sort of ransomware used in the attack was “Triple-M.” APP outlined that this variant of ransomware uses the RSA-2048 encryption protocol and very long keys to encrypt data. The system restore function was also switched and the hackers reformatted the network storage device that was used to hold backups.

APP’s IT Director, Steve Patton, stated to databreaches.net that the ransom was paid as files could not be restored from backups due to the actions taken by the hackers. At first, a ransom demand of 4 Bitcoin was issued, around $30,000, although the practice managed to negotiate with the attackers and paid 0.5 BTC (approx. $3,758) for the keys to rescue the encrypted data.

All systems and data have now been brought back online, extra layers of security and encryption have been adapted, and APP’s remote access policies have been updated.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) revealed that 6,546 patients were potentially affected. APP notes that there was clear proof that protected health information was not accessed by the hackers; however, as a precautionary measure, APP has advised affected patients to review monitor their credit reports closely for any sign of fraudulent use of their private information.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy