Case Studies

6,000 patient records vaporized. Are we ok with this?

Featured image for 6,000 patient records vaporized. Are we ok with this?

Teenagers famously think they’re invincible, get up to some ridiculous antics, and frequently push the boundaries of wisdom and safety. Sadly, some of them will indeed discover the hard way that even though they’re in their physical prime, they can still be hurt or killed.

Ransomware attacks are a similar situation. Healthcare practices assume it won’t be them. Like teenagers, many will be right, and will suffer no consequences. But there will be some that will. And the worst-case scenario for this case study is that the practice is forced to close down entirely.

 The sad case of Ranch Wood Medical

As reported in HIPAA JOURNAL:

“The attack occurred on August 10, 2019 and resulted in its servers being infected with ransomware. The attack caused widespread file encryption and prevented medical records from being accessed.

The extent of the attack was such that computer systems were permanently damaged, making file recovery impossible. The practice had created backups of patient records, but those backups were also encrypted and could not be used to restore patient data.”

Based out of California, Ranch Wood Medical notified the FBI, who don’t recommend paying the ransom. The hard truth is that even when practices do try to pay the ransom, they sometimes will never get sent the key to unlock the files.

 Other times, the hackers will come back with a demand for more money. The authorities don’t want to encourage the practice, no matter the outcome, leaving the burden squarely on the shoulders of the practices to deal with the brutal consequences.

Tough Decisions

In this case, the partners decided to close the practice. They first sent an email to all 5,832 of their patients explaining that their medical files were forever lost. Then they put up a notice on the front page of their website explaining what had happened.

They will close their business on December 10, 2019, and all staff will be unemployed. It may be a tough road ahead for them – many practices don’t want to hire staff who aren’t cyber trained, and who could end up causing a business to fail.

The cost of lost files

Of course, those 5,832 patients didn’t have a say in the decision to close the practice – they may have preferred to pay the ransom, on the chance they could get their files back. After all, the average person doesn’t have a copy of their medical file, nor do they remember details further back than a year or two.

For these people – some of whom are in the middle of life-saving treatments, some of whom are recovering from surgery, some of whom are on complicated pharmaceutical cocktails – they are now required to find a new doctor with whom they can start to recreate their entire medical history.

Don’t be that guy.

Who knows why Ranch Wood Medical never bothered to create a cyber-safe environment for their patients’ files? Perhaps they thought their anti-virus would help them, although these have proven to be completely unreliable, due to the polymorphic nature of many ransomware attacks.

Their biggest mistake was not having a proper backup plan. All businesses need to have a minimum of 2 forms of backup. This practice had just one type of backup, and no off-site strategy. The only backup drive that Ranch Wood had was attached to their server and became encrypted as well. Was this negligence onthe part of the IT provider? Perhaps the practice didn’t want the extra expense? It’s a very tragic outcome considering how easily it could have been prevented.

Watch this short video ‘Backup Principles That Will Save The Day’ to learn how to protect yourself from this type of disaster.

The ultimate price

Of course, the partners at Ranch Wood Medical NEVER thought they’d end up losing their business. Hindsight being 20/20, of course they would have preferred to have done their due diligence. Considering that hackers could charge $100 per patient file in ransom – and the practice could have been safeguarded for as little as $1 per patient file – the choice is now obvious.

Breach notification rules mean this practice website now shows just the patient notification of the breach, and that they are closing for good. Almost 6000 patients are now without their medical records, and a group of medical professionals-  who built a successful practice delivering what appears to be excellent patient car – was wiped out in a day.

It’s time to get serious, and we’re here to help.

At Alexio, we provide a complete and out-of-the-box solution to keep your systems locked down tight.

  • Alexio Defender uses automation and machine learning to monitor, recognize and quarantine anything that shouldn’t be there.
  • Alexio 2nd Server provides you with a fully-separated backup server that means you can be back up and in business in less than an hour, even if there was a systems-down event.
  • Alexio Inspector is your recommended annual security risk assessment, where we discover and correct any breach opportunities.
  • Alexio Learning makes sure your staff knows how to spot and defeat a phishing or social engineering attack.

Join the movement to get serious about cyber-security by signing up HERE to receive weekly micro-training emails. Learn – in 1 minute a week – the many factors that go into being cyber-safe, both at work and at home.

SPECIAL OFFER for National Cyber-Security Awareness Month – OCTOBER 2019: download our cyber-security kit FREE.

Anne Genge, CEO Alexio Corporation

Anne Genge is the CEO and co-founder of Alexio Corporation. She and her team of certified privacy and security professionals help dentists, physicians, and other healthcare providers to secure their data & systems, and comply with privacy laws & college mandates. She is a firm believer that good training in cyber-security is the key to protecting not just her family and clients, but also government bodies and major corporations. To this end, she has partnered with many organizations, including the Canadian Dental Association, to produce training in order to reduce the frequency of human error resulting in a security breach.