North Shore Pain Management (NSPM) located in Massachusetts began informing 12,472 patients about the theft of some of their protected health information (PHI) by hackers. NSPM detected the breach on April 21, 2020 and upon investigation, it was confirmed that the hackers initially accessed its systems on April 16, 2020.
NSPM did not give any information regarding the nature of the attack on its substitute breach notice posted on its website. However, Emsisoft and databreaches.net confirmed the incident as a ransomware attack using AKO ransomware. The group behind the attack dumped 4GB of stolen data on their Tor site when no ransom payment was made.
The dumped data consist of a variety of sensitive information of employees and patients. The NSPM breach notice stated that the stolen data included patient names, birth dates, medical insurance data, account balances, financial data, diagnosis and treatment data. For a number of patients, ultrasound and MRI images were also included. Some patients who used their Social Security numbers as health insurance /member number also had their SSNs exposed.
Because cybercriminals exposed the stolen data on the internet, affected patients were instructed to keep track of their financial accounts and explanation of benefits statements for any indication of data misuse. NSPM offered free credit monitoring and identity theft protection services to the patients who had their Social Security numbers compromised. NSPM hired a new IT management vendor to strengthen cybersecurity.
The AKO ransomware attackers are similar to a lot of gangs that manually deploy ransomware. They steal data before encrypting files to have greater chances of getting ransom payment. The AKO group usually demands two ransom payments from companies with big incomes. One is for covering the cost of the decryptor and the other is for ensuring the deletion of the stolen data. The cost of ransom payment to delete files varies from $100,000 to $2,000,000.
The group said that certain healthcare providers pay only the ransom for deleting data and not for the decryptor. It is uncertain if NSPM paid a ransom.
Ransomware Attack on Florida Orthopaedic Institute
Florida Orthopaedic Institute based in Tampa, FL reported a ransomware attack on April 9, 2020 and the encryption of patient data stored on its servers. The institute conducted an internal investigation, which showed potential theft of personal data and PHI of patients before file encryption. Florida Orthopaedic Institute has not received any report of patient data misuse that resulted from the attack.
Florida Orthopaedic Institute hired a third-party computer forensic company to help with the investigation and took steps to recover the encrypted information and secure its servers. The institute already notified the affected patients and offered free credit monitoring, identity theft restoration services and fraud consultation.
The data encrypted and potentially acquired by the attackers included names, birth dates, Social Security numbers, medical data associated to appointment times, doctor’s locations, diagnosis codes, the amount paid, insurance plan ID numbers, claims addresses, payer ID numbers, and/or FOI claims history.
Florida Orthopaedic Institute hired third-party specialists to improve security to avoid other cyberattacks down the road.
The HHS’ Office for Civil Rights breach has not yet posted the incident to its breach portal, thus the number of affected patients is currently uncertain.