Security Experts:

Medical Practice Closing Permanently After Ransomware Attack

Medical Practice Closing Doors Permanently After Ransomware Destroys Patient Records and Backups

Wood Ranch Medical, a small medical provider located in Simi Valley, CA, is closing after a ransomware attack. A statement explaining the incident and announcing the closure is all that is left on the firm's website. The practice will close on December 17, 2019.

Very little information about the attack is provided in the statement on the website. It says the firm "was the victim of a ransomware attack that resulted in its patients' personal healthcare information being encrypted." There is no indication of the ransomware type, nor the value of any ransom demanded. There is no indication that the incident was reported to the FBI, nor whether any third-party security experts were employed to investigate the incident.

The attack occurred on August 10, 2019 while the notification statement is dated September 18, 2019. In the intervening weeks it can be assumed that the firm tried and failed to recover its patients' healthcare records. "The attack encrypted our servers, containing your electronic health records as well as our backup hard drives," says the firm.

With access to neither the original records nor the backups, the firm has written to its 5,835 patients to explain the situation. It believes it was a straightforward financially motivated attack with the attackers solely after the ransom payment. The statement does not indicate the demanded amount, whether they considered payment, nor why they declined.

The official law enforcement recommendation is to never pay, with warnings that decryption might not be provided while the ransom payment helps to fuel future attacks against other organizations.

"We believe it is likely the attacker only wanted money and not the information on our computers," says the statement. "While we have no reason to believe that anyone's healthcare information was taken, the encrypted system contained electronic healthcare records which included patients' names, addresses, dates of birth, medical insurance and related health information."

Nevertheless, the statement includes information on how to contact Equifax, Experian and TransUnion for information on credit reports, and adds, "You may consider placing a fraud alert on your credit report." With so little information on recovery attempts, it may be wise for patients to assume that their data has been compromised, and to act accordingly.

There are several takeaways from this incident. First, healthcare -- and even small healthcare firms -- remain a target for ransomware attackers. In April 2019, the Brookside ENT and Hearing Center in Battle Creek similarly closed after a ransomware attack had demanded a payment of $6.500 which was not paid. Also in April 2019, Kent, WA-based People’s Injury Network Northwest (PINN), an industrial injury rehabilitation service, was infected with ransomware. In this case, recovery from backups was possible, and a forensics firm was employed.

In July 2019, Berry Family Services, a Rowlett, Texas, provider of services to the disabled and their families, was infected. In this case the victim decided to pay the ransom, and by early September was able to report that it had restored its systems.

Second, in addition to anti-ransomware technology, all firms should ensure air-gapped backups. The old 1-2-3 recommendation remains useful: one copy of data online for use; one copy of backup onsite for problems; and one copy off-line and preferably off-site for serious emergencies like ransomware.

Third, the serious nature of a major cybersecurity breach -- such as ransomware -- should never be underestimated. Data is the life of all firms, and especially small healthcare providers. Firms should understand that without adequate mitigation and response plans, the continued existence of the firm is at risk if all data is lost, even if it is only temporarily lost. Where companies are concerned about their ability to prevent ransomware, pay a ransom, or recover from ransomware, they should consider cyber insurance -- which already has a growing expertise in such cover.

RelatedWyoming Hospital's Services Disrupted by Ransomware

Related: Quarter of Healthcare Organizations Hit by Ransomware in Past Year: Study 

Related: "Philadelphia" Ransomware Targets Healthcare Industry 

Related: When Ransomware Hits Healthcare: To Pay or Not to Pay? 

Related: Ransomware Attack Hits Health Firm LabCorp 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.