[BreachExchange] Ransomware Attack on Brandywine Urology Impacts 131K Patients

Destry Winant destry at riskbasedsecurity.com
Wed Apr 15 10:26:12 EDT 2020


April 14, 2020 - About 131,825 patients of Brandywine Urology
Consultants are being notified that their data was potentially
compromised during a ransomware attack. The Delaware specialist is
continuing to investigate the scope of the incident.

On January 27, a ransomware infection was discovered on the Brandywine
Urology network. The cyberattack began two days earlier on a Saturday.
Officials said they immediately isolated the attack and began
mitigating the network intrusion.

Once the attack was neutralized, officials explained they performed a
scan of the central server to ensure all traced of malware were
removed. The ransomware attack was confined to the network and did not
impact the electronic medical record system.

The provider hired a third-party security firm to assist with the
investigation, which is ongoing. It appears it was an automated
cyberattack designed to encrypt data and extract a financial payment
from Brandywine Consultants, rather than an attempt to steal data.

However, it’s still possible patient data was compromised during the
attack, including names, contact details, Social Security numbers,
medical file numbers, claims data, and other financial and personal

The practice has since replaced its central server and isolated the
impacted servers, along with replacing or deleting and reloading any
affected computers. Further, they’ve installed an updated antivirus
program, while they continue to work with the security firm to test
its data security measures and implement improvements to ensure the
security and integrity of its systems.


Doctors Community Medical Center in Maryland is notifying some of its
patients that it fell victim to a phishing campaign in January, which
potentially compromised their data.

Several employees fell victim to the phishing attack, providing the
hacker with their user credentials. As a result, the attackers were
able to access the employee payroll information, as well as their
email accounts.

In February, DCMC determined a threat actor was able to access
multiple employee accounts for various period between November 6, 2019
and January 30, 2020.

The investigation determined those accounts contained data sheets with
patient demographic information, which varied by patient, such as
names, addresses, dates of birth, Social Security numbers, financial
account information, treatments, diagnoses, prescriptions, driver’s
licenses, military identification numbers, medical record numbers,
health insurance information, and other sensitive data.

Law enforcement has been contacted, as it continues to investigate the
incident. Currently, DCMC is continuing to review its existing
policies and procedures and will implement additional safeguards to
bolster its security.


Avalon Health Care Management recently reported a hack of its email
system from July 2019, which potentially breached the data of about
14,500 patients.

On July 2019, Avalon first discovered suspicious activity in its email
system. Officials said they took steps to secure the system and
launched an investigation. One month later, they determined a single
employee email account was accessed without authorization and worked
with a document review vendor to verify the potential patient
information contained in the account.

Nearly six months after they first discovered the hack, officials
concluded the account contained both employee and patient data and
launched a further analysis that concluded on January 27, 2020.

It’s imperative to note the under HIPAA, breaches are to be report to
the Office of Civil Rights within 60 days of discovery, not at the
conclusion of an investigation. Avalon began notifying patients in
March 2020.


Nevada-based Andrews Braces is notifying about 16,600 patients that
their data was potentially breached after a ransomware attack in

The attack began on February 13, but was discovered the next day. With
assistance from a third-party forensic investigator, they determined
the event was likely an automated attack designed to financially
extort the orthodontist. Further, no data was exfiltrated, but
officials said they could not rule out access.

As a result, the potentially compromised data could include names,
contact details, health information, Social Security numbers, and
email addresses. Andrews Braces has since implemented new security
tools and measures, including hardening overall platform security.


An unauthorized individual gained access to the email account of a
Saint Frances Ministries employee, which potentially breached the data
of an undisclosed number of patients. The Ohio nonprofit is a children
and family services ministry provider that serves about 31,000 people
from the Midwest, Texas, and Central America.

In December, officials said they first discovered suspicious activity
related to one employee email account, and steps were taken to secure
the account. An investigation concluded on February 12 and found the
hacker accessed the account for about a week between December 13 and
December 20.

The investigation could not verify whether the emails or attachments
were viewed or accessed during the security incident. The potentially
affected data varied by patient, but could include Social Security
numbers, dates of birth, driver’s licenses, financial data, credit or
debit card information, treatments, diagnoses, medical record numbers,
and Medicare or Medicaid numbers, among other sensitive data.

More information about the BreachExchange mailing list