Ransomware Attacks on Four Healthcare Companies and a Ventilator Manufacturer

Boyce Technologies Inc based in Long Island City, NY, a transport communication systems provider recently turned its manufacturing facilitiesto create ventilators that hospitals can use during the pandemic. A DoppelPaymer ransomware attacked Boyce Technologies and prior to file encyption, data was stolen. The threat actor published on its blog some of the stolen information, which includes assignment forms, purchase orders, and other sensitive information.

The FDA approved Boyce Technologies Inc. to produce ventilators and was manufacturing approximately 300 machines per day. Hospitals in New York use the ventilators and the company is currently producing ventilators for other locations. The ransomware attack is a threat to the creation of those ventilators and may put lives at risk.

Piedmont Orthpedics/OrthoAtlanta, which is an orthopedic and sports medicine network located in the greater Atlanta area, encountered a Pysa (Mespinosa) ransomware attack. Like with the Boyce Technologies attack, before the file encryption, the threat actors stole sensitive information. Databreaches.net reported that the threat actors published approximately 3.5 GB of information online, which includes files containing the protected health information (PHI) of patients.

The Center for Fertility and Gynecology in Los Angeles, CA and the Olympia House Rehab in Petaluma, CA, on the other hand, encountered a Netwalker ransomware. The threat actors stole data, including patients’ PHI, and published it on the internet.

Muskingum Valley Health Centers in Zanesville, OH informed recently 7,447 of its patients that threat actors potentially obtained some of their PHI as a result of a ransomware attack on the EHR of OB GYN Specialists of Southeastern Ohio Inc, which contained the information of patients who obtained treatment from 2012 to 2017. The attack happened on May 31, 2020 but Muskingum Valley identified the incident on June 2.

The investigators did not find any evidence indicating the theft of patient information before the ransomware attack, although there is still the possibility of data theft. The attackers most likely accessed names, birth dates, addresses, diagnoses, health conditions, laboratory test data, treatment data, insurance claim details, Social Security numbers, and financial data.

Muskingum Valley offered the affected persons free credit monitoring and identity theft recovery services for 2 years. Security guidelines, procedures and passwords were also updated to avoid more attacks.

There were 41 healthcare providers that submitted ransomware attack reports in the first six months of 2020 as per Emsisoft. The double-extortion attacks which entail threats to expose or sell information when the victim doesn’t pay the ransom are increasing, considering that a lot of threat groups are now taking on this strategy. Emsisoft states that about 1 in 10 ransomware attacks today come with data theft.