Dentist has patient data held for ransom

Imagine being on vacation kayaking in Florida over the holidays – the rush of the water freeing you from the day-to-day grind of the year. With your worries in the back of your mind, your phone rings and it is your dental practice’s IT vendor with some alarming news: Your server has been hacked, you are locked out of your electronic patient information, and you cannot get it back until you pay a ransom to the hackers who infiltrated your practice’s computer system.

This is exactly what happened to one California dentist, who wished to stay anonymous but decided to share her story to warn other dentists of a relatively new hacking scheme. It is called “crypto-ransomware” and it attempts to extort money from victims by displaying an on-screen alert. These alerts often state that the computer has been locked or that all files have been encrypted, and demand that a ransom be paid to restore access. The hackers provide instructions on the screen detailing how to make a payment. The ransom is typically in the range of $100–$300 dollars, according to the Department of Homeland Security.

In this California dentist’s case, the hackers want $500 and she is still determining the next steps.

“I just want my stuff back and I worry about my patient’s information being out there,” said the dentist, who has practiced in the same location for 14 years. “I can't function. My practice has essentially been down now for several days. I can't access software to see scheduling, I have no idea what appointments are set up and we can't access digital X-rays.”

The dentist had two antivirus programs, Cloud backup and hard-disk backup, but it wasn’t enough to prevent her encrypted patient information (which is in compliance with HIPAA) from being re-encrypted by the hackers, making it unavailable to her. The dentist’s IT consultant has since built a new server for the practice and she has reported the incident to the local authorities while she waits for the next steps.

“This is more of a federal offense type of thing, so the police have referred me to the FBI,” she said. “Everybody is advising me not to pay the ransom because you have no way of knowing if it will just open up more problems.”

Homeland Security suggests those who fall victim to the scheme should not pay the ransom.

“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed,” Homeland Security states on its website.

Ransomware, according to Homeland Security, is typically spread through phishing emails that contain malicious attachments and “drive-by downloading.” Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto-ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

A recent study conducted by Bromium, a global enterprise security market company, found that crypto-ransomware is not going to go away any time soon because “traditional detection-based protection, such as antivirus, has proven ineffective at preventing the attack.”

The study also states that the hackers use “traffic anonymizers, such as TOR, and anonymous currencies, such as Bitcoin, to receive ransom payments from their victims without being traced.”

Bromium says crypto-ransomware, which first appeared in September 2013, does not “steal” information, but makes it impossible to access by encrypting it (even if it was already encrypted). The Bromium study goes on to state that prevention is possible in the “early stages of infection before files are encrypted.” Antivirus and Host-based Intrusion Prevention Systems have two windows of opportunity to stop infection: at the stage of drive-by exploit and the stage of process injection.

Dental practices are encouraged to refer to their IT consultant for further direction, but the U.S. Computer Emergency Readiness Team and Canadian Cyber Incident Response Centre recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Maintain up-to-date antivirus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email.
  • Use caution when opening email attachments.
  • Follow safe practices when browsing the Internet.
  • Report instances of fraud to the FBI at the Internet Crime Complaint Center (ic3.gov/default.aspx).

As for the California dentist who was attacked with ransomware over the holidays, she hopes her story helps other dentists become more aware.

“You think you are protected with all your antivirus programs and you still get hacked. It’s a whole new world out there,” she said. “Just be so cautious on any attachments that come in and make sure to limit Internet usage on your practice’s computers.”

On a brighter note, she will not need to go through the breach notification process because she had encrypted her data.

TDIC offers a data compromise policy, with $50,000, $100,000 and $250,000 limits, as an addendum to property coverage. Such a policy can pay for mailing notification letters to patients, providing affected individuals with credit monitoring and more.

For more information on TDIC’s offerings, visit thedentists.com.

For more information on HIPAA compliance, dentists can visit cda.org/privacy-HIPAA.

For more information on ransomware from the Department of Homeland Security, visit us-cert.gov/ncas/alerts/TA14-295A.