More than half a million records have been compromised in a ransomware attack on the Bayamón Medical Center and Puerto Rico Women and Children’s Hospital More in Bayamón, Puerto Rico.
The hospital and associated medical centre first discovered the attack on May 21, 2019. On July 19, 2019, a press release stated that the ransomware encrypted hundreds of thousands of patient files. Hospital staff were unable to access records ‘for a short period of time’.
Following HIPAA’s Breach Notification Rule, whose jurisdiction also extends to Puerto Rico, the organisations are in the process of notifying 522,000 current and former patients of the ransomware attack. Investigations confirmed that patient information was affected, did not find evidence to suggest that the hackers accessed, altered, or exfiltrated patient information.
The information potentially compromised was limited to names, demographic information, clinical information, financial information, and in some cases, diagnosis information, dates of birth, and Social Security numbers.
The ransomware attack only rendered data temporarily inaccessible. The hospital and the clinic were able to use backups to restore their systems without losing any information. It is unclear whether the ransom demand was paid for the keys to unlock the encryption or if systems were rebuilt and data restored from backups.
The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights as two separate breaches affecting 422,496 patients of Bayamón Medical Center and 99,943 patients of Puerto Rico Women and Children’s Hospital.
Ransomware has become a bigger and bigger threat in recent years. According to Verizon, the communications company, it was the most-used type of malicious software in 2018, accounting for 39% of malware phishing attacks. This figure is double the proportion of malware attacks which were made with ransomware in 2017. The figures are likely to be even more inflated for 2019.
Ransomware attacks may be on the rise because of the availability of the software online. Hackers don’t need to come up with the software themselves; ransomware can be purchased on the dark web. It requires minimal effort on the part of the phisher, but with a significant payback for their little effort. The victims are comparatively helpless and can do little else but pay the ransom.
It is difficult to protect against these types of attacks. The most straightforward way is to teach employees about the dangers of phishing. If the employees know how to spot suspicious emails, they won’t be inclined to open the attachments and then inadvertently introduce the malware into the system.