Security News > 2020 > January > New Data Ransom Target: Patients

Could ransomware shakedowns against healthcare entities be taking an even uglier turn? In a recent attack on a Florida-based plastic surgery practice, hackers exfiltrated patients' medical records and then demanded a ransom be paid by the clinic and some of its patients to avoid further exposure of the data.

"The attackers demanded a ransom negotiation, and as of Nov. 29, 2019, about 15-20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met."

The FBI has instructed patients receiving ransom demands to file independent cybercrime complaints online with the bureau, the statement notes.

"However, personally identifiable information may have been stolen for up to 3,500 former or current patients of TCFFR. Because we store PII as the scan of the patient's intake demographic questionnaire, and not in an electronic demographic database, obtaining contact information in order to individually notify all 3,500 patients has been painstakingly slow and labor intensive, and access to the data has been hindered by ongoing IT service disruptions."

Hewitt offers a similar assessment: "Patient data, unlike financial data, can't be reset with new account numbers - like banking - so patients may experience serious emotional harm or be physically harmed if they are misdiagnosed or mistreated depending on how the data is used or misused."

News URL

https://www.inforisktoday.com/new-data-ransom-target-patients-a-13626