The February 2023 issue of IEEE Spectrum is here!

Close bar

Cybercriminals Hold Australian Medical Clinic Electronic Patient Records Hostage

"They literally got in, hijacked the server, and then ran their encryption software"

2 min read
Cybercriminals Hold Australian Medical Clinic Electronic Patient Records Hostage

ABC News Australia published a report this week about a small medical clinic in Queensland, Australia that discovered cybercriminals, apparently Russian in origin, had been able to break through both the clinic’s server firewall and password system and successfully encrypted all of the clinic’s patient electronic medical records. Thousands of patient files are now said to be inaccessible.

The cybercriminals reportedly are demanding the clinic pay A$4000 to decrypt the information, something that the clinic so far is refusing to do. The clinic's owner says that he is worried that if the clinic does pay, the cybercriminals will decrypt only a small number of patient records, and then demand additional ransom monies on promises to decrypt the remainder, and so on. Right now, the clinic is trying to determine how many patient records can be rebuilt from information retrievable from pharmacists and hospitals, but the owner admits it is “very, very, very difficult” to operate effectively without access to the clinic's patient records.

This incident seems to be just the latest in a trend that is following the increasing digitalization of electronic medical records. A Bloomberg story from August describes several incidents of similar extortion demands in the United States from clinics as well as thefts of electronic medical records

Healthcare providers seem to be an especially good target of opportunity for cybercriminals. According to a new benchmark survey published by the Ponemon Institute, some 94% of U.S. healthcare organizations have suffered a data breach in the past two years, and 45 percent have admitted to experiencing five such breaches over the same period. In addition, Ponemon's survey reports that "54 percent of organizations have little or no confidence that they can detect all patient data loss or theft," which isn't surprising, given that 73 percent of healthcare providers surveyed admit that they "still have insufficient resources to prevent and detect data breaches... and  67 percent of organizations don’t have controls to prevent and/or quickly detect medical identity theft."

You may remember from a few years ago that the state of Virginia's Prescription Monitoring Program website containing prescription information on 530 000 patients was similarly attacked. A cybercriminal claimed to have stolen the patients’ prescription information, encrypted it in a file, and deleted the data. He (or she) demanded in a ransom note left on the website US $10 million for the information's safe return. While state officials (eventually) admitted the website was indeed breached and information likely taken, the state also said that it had all the patient information securely backed up. No ransom was ever paid, and the would be extortionist has never been caught.

As a story in NetworkWorld commenting on the Australian medical clinic situation noted, organizations which have securely stored sensitive information offline or in the cloud have been the most successful in keeping such extortionists at bay.

Image credit: Wikipedia/Rama and Eliot Lash

The Conversation (0)

How Police Exploited the Capitol Riot’s Digital Records

Forensic technology is powerful, but is it worth the privacy trade-offs?

11 min read
Vertical
 Illustration of the silhouette of a person with upraised arm holding a cellphone in front of the U.S. Capitol building. Superimposed on the head is a green matrix, which represents data points used for facial recognition
Gabriel Zimmer
Green

The group of well-dressed young men who gathered on the outskirts of Baltimore on the night of 5 January 2021 hardly looked like extremists. But the next day, prosecutors allege, they would all breach the United States Capitol during the deadly insurrection. Several would loot and destroy media equipment, and one would assault a policeman.

No strangers to protest, the men, members of the America First movement, diligently donned masks to obscure their faces. None boasted of their exploits on social media, and none of their friends or family would come forward to denounce them. But on 5 January, they made one piping hot, family-size mistake: They shared a pizza.

Keep Reading ↓Show less
{"imageShortcodeIds":[]}