Minnesota Ransomware Attack Impacts Over 6,500 Patients

Associates in Psychiatry and Psychology (APP) a Rochester, Minnesota-based health organization has suffered a ransomware attack that targeted several computers that stored patients’ protected health data.

The ransomware attack was identified on March 31, 2018. Patient information held on the affected computers was not in a “human-readable” format, and no proof was found to suggest any protected health information was obtained or copied by the hackers.

Since data access could not be ruled out with 100% certainty, all patients whose data were stored on the targeted devices have been made aware of the security breach. The types of data potentially obtained includes names, birth dates, addresses, Social Security numbers, insurance details and treatment histories.

APP moved swiftly when the attack was noticed and took its systems offline to stop the spread of the ransomware and restrict the potential for further encryption of data and data theft. APP’s systems remained offline for another four days while the attack was reviewed.

APP stated that the attack is thought to have commenced between the evening of Friday, March 30 and the morning of Saturday, March 31. The sort of ransomware used in the attack was “Triple-M.” APP outlined that this variant of ransomware uses the RSA-2048 encryption protocol and very long keys to encrypt data. The system restore function was also switched and the hackers reformatted the network storage device that was used to hold backups.

APP’s IT Director, Steve Patton, stated to databreaches.net that the ransom was paid as files could not be restored from backups due to the actions taken by the hackers. At first, a ransom demand of 4 Bitcoin was issued, around $30,000, although the practice managed to negotiate with the attackers and paid 0.5 BTC (approx. $3,758) for the keys to rescue the encrypted data.

All systems and data have now been brought back online, extra layers of security and encryption have been adapted, and APP’s remote access policies have been updated.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) revealed that 6,546 patients were potentially affected. APP notes that there was clear proof that protected health information was not accessed by the hackers; however, as a precautionary measure, APP has advised affected patients to review monitor their credit reports closely for any sign of fraudulent use of their private information.