[BreachExchange] Brooklyn Hospital lost patient records after a ransomware infection

Fri Nov 8 09:59:56 EST 2019

https://securityaffairs.co/wordpress/93487/cyber-crime/brooklyn-hospital-ransomware.html

Another organization in the healthcare industry was a victim of a
Ransomware attack, this time the victim is Brooklyn Hospital.

A ransomware attack has infected several computer systems at the
Brooklyn Hospital Center in New York, the organization permanently
lost patient data. The patient records encrypted in the attack include
names and certain dental or cardiac images. The news of the attack was
disclosed this week, but the incident took place in late July.

The hospital did not pay the ransom, it attempted to recover the data
but without success.

The Brooklyn Hospital Center immediately investigated the incident
with the help of a third-party digital forensics firm and confirmed to
have taken “diligent remediation efforts.”

“Brooklyn Hospital Center in New York has announced that a security
breach occurred in late July 2019 that resulted in malware being
installed on some of the hospital’s servers.” reads the
hipaajournal.com website.

“A third-party digital forensics firm was retained to assess the
nature and extent of the malware attack and assist with the recovery
of encrypted files. On September 4, following ‘exhaustive efforts’ to
recover the encrypted files, it was determined that certain patient
information was unrecoverable.”

According to the notice sent by the hospital, the organization failed
to recover the data, this means that it lacks proper backup management
policy.

“The Brooklyn Hospital Center (the “Hospital”) is providing notice of
a recent data incident that may affect the security of certain patient
information. In response to this incident, the Hospital conducted an
extensive investigation and undertook diligent remediation efforts.”
reads the notice. “Through this investigation, we found no evidence
that data was accessed or acquired from our systems; however, based on
the nature of the incident, we are unable to recover certain records
related to specific patients. Therefore, we are notifying patients
regarding this event and steps we have taken in response.”

The organization pointed out that not all patients are impacted by the
ransomware attack, but it has yet to disclose the number of affected
patients. Brooklyn Hospital managers highlighted that no patient data
was exfiltrated from its systems.

“On September 4, 2019, the investigation confirmed that due to the
malware, and despite exhaustive efforts by the Hospital to recover the
data, certain patient data was unrecoverable.” reads the notice.

The hospital did not provide any details about the family of
ransomware that infected its systems or the amount of money demanded
by the crooks.

“The Hospital encourages those who may be affected to remain vigilant
against incidents of identity theft and fraud, to review account
statements and explanation of benefits, and to monitor credit reports
for suspicious activity and to detect errors.” concludes the notice.
“Under U.S. law, adults are entitled to one free credit report
annually from each of the three major credit reporting bureaus. To
order a free credit report, visit www.annualcreditreport.com or call,
toll-free, 1-877-322-8228.”