TMLT remains committed to sharing information with our policyholders on how to protect their sensitive data. Below are three case studies that describe actual cyber claims reported to TMLT. The ultimate goal in publishing these studies is to help physicians respond appropriately to ransomware attacks.
Ransomware case study 1
A practice manager for a small specialty group opened an email attachment and immediately noticed that she could no longer open any files on her computer. She received a pop-up alert with a ransom demand. She contacted IT staff who advised her on initial steps to take.
During IT’s investigation, they found that several months had passed between the last system back up and the ransomware attack. A significant amount of patient data would have not been retrievable from backup, so the group reluctantly decided to pay the small ransom.
Three weeks later, the same employee received another ransomware notice. Again it was decided to pay the ransom, which had doubled in amount since the first attack.
Prompted by the second ransom attack, the group has changed its back-up process to ensure current back ups would always be available. They also employed additional layers of cyber security and trained staff on how to avoid phishing emails.
Because this incident happened before HHS requirements for reporting ransomware attacks, it was not reported as a breach to the practice’s cyber insurance carrier.
While traditional IT security includes ﬁrewalls and antivirus software, these tools no longer provide enough protection. Cyber criminals can bypass IT security, enabling them to pose as authorized users and unlimited access to networks. Finding the right solution to these vulnerabilities includes becoming smarter about data protection and privacy issues and educating your workforce not to click on suspicious links.
Ransomware case study 2
A medium-sized medical practice was unable to access their legacy practice management system. When IT was called, they reported a ransom demand on the server. IT staff took down the entire network to prevent the spread of the ransomware beyond the known server. A new server was restored from backup. Within two days, the practice was functioning normally.
This case demonstrates two important factors:
1. The importance of having a current and complete backup of all your data and a data recovery plan in place;
2. The importance of notifying your cyber liability carrier immediately to help you conduct the required risk assessment.
The infected server was examined to determine if protected health information (PHI) had been accessed and exfiltrated. The risk assessment to determine whether there is a low probability of compromise of the PHI must be thorough, completed in good faith, and reach conclusions that are reasonable given the circumstances. The HHS fact sheet “Ransomware and HIPAA” can help determine if a security incident or ransom attack constitutes a HIPAA breach.
Conducting frequent backups and ensuring the ability to recover data is crucial to recovering from a ransomware attack and ensuring the integrity of PHI. Test restorations should be conducted regularly.
Ransomware case study 3
A physician’s staff returned from lunch to find their network encrypted. Forensic IT specialists were unable to determine if ePHI had been accessed or exfiltrated. The assessment concluded that this incident was a breach, and 30,000 patients were notified. The costs of the forensic investigation, the breach notification process, and legal fees have exhausted the practice’s cyber policy limits. The physician is now responsible for the remaining legal costs related to the OCR investigation.
Before this incident, the physician believed that his practice was too small to be hacked, insisting “who would want my data?”
The practice has now invested heavily in new IT, cyber risk management, and cyber security services. An OCR investigation is underway, which will lead to additional work for practice staff.
Physicians and employees are the greatest vulnerability when it comes to ransom attacks; simply clicking on a link, opening an attachment or using weak or infrequently changed passwords can be the beginning of a long and costly process for practices.