A ransomware attack on the Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) resulted in the file encryption of 8,750 patient’s protected health information (PHI). ECKAAA discovered the attack that happened on September 5, 2017 immediately and did what they could to limit its effects. Just a fraction of the server files were encrypted because of that. Those files contained names, addresses, telephone numbers, dates of birth, Social Security numbers and Medicaid numbers.
A cybersecurity firm investigated the extent and nature of the ransomware attack. Based on the investigation, the ransomware used was a variant of Crysis/Dharma. This ransomware can encrypt files stored locally, on mapped and unmapped network drives. It can also hamper system recovery by deleting shadow volume copies.
There is a lack of evidence on exfiltration of data yet that doesn’t exclude the possibility of data access and theft. While not all files were encrypted, they may have been accessed from the server.
ECKAAA implemented safety precautions against malware attacks before the ransomware attack. That really helped ECKAAA to recover all the encrypted files. Since the safety measures were not enough to stop the ransomware attack, ECKAAA implemented improved security measures that include the CrowdStrike advanced malware agents and the Cisco Umbrella Insights.
In addition, ECKAAA retrained its staff to fully understand ransomware threat and reset all passwords picking only strong passwords. Policies and procedures will be updated as well to reduce risks against future attacks.
ECKAAA fully complied with the HIPAA Rule in this case of PHI breach. The company reported the incident to the Department of Health and Human Services’ Office for Civil Rights. They published a breach notice on their company website and on prominent newspapers in the five counties where the agency operates. ECKAAA also sent breach notification letters by mail to all patients affected by the ransomware attack.