On July 11, 2021, the Oregon Anesthesiology Group found out that it encountered a ransomware attack that resulted in the encryption of files on its systems and preventing access to its servers and patient data.
Right after the attack, its IT infrastructure was reconstructed and offline information backups were utilized to immediately recover the affected files. A digital forensics company was hired to investigate the breach and it was affirmed that patient and employee data were compromised, with the impacted areas of its network identified to include files that held names, addresses, diagnosis, medical record numbers, dates of service, and procedure codes and descriptions, insurance firm names, and insurance ID numbers. Employee data potentially compromised in the attack included names, addresses, Social Security numbers, and other information contained in W-2 forms.
The forensic investigation indicated that when the hackers had acquired access to its network, they data-mined administrator credentials which permitted them to get access to encrypted data on its system. The FBI informed Oregon Anesthesiology Group that the threat actors most probably exploited a vulnerability present in its third-party firewall to obtain access to its network.
Because of the breach that occurred, the group replaced the firewall, implemented multi-factor authentication more comprehensively, upgraded the policies on network access control, and engaged a third-party vendor to provide 24/7 real-time security monitoring and give advice on security system architecture, enhanced data, and network segregation, and increased use of the cloud-based system.
Oregon Anesthesiology Group mailed notification letters to around 750,000 patients and 522 current and former workers. Although no evidence of attempted or actual improper use of patient information was found, the group provided identity theft protection and credit monitoring services to affected patients, in addition to an identity theft insurance policy.
So as to recover the stolen information, it is typically necessary to pay the ransom demand. In this case, nonetheless, the ransom was not paid. On October 21, 2021, the FBI informed the Oregon Anesthesiology Group that it had taken “an account belonging to HelloKitty, a Ukrainian hacking group, which included OAG patient and worker files.” It is uncertain if the seized account comprised the only copy of the stolen data.