Another Healthcare Provider Hit by a GandCrab Ransomware Attack

Ransomware campaigns against healthcare companies have been running for a few years now, yet new victims keep getting revealed this year. Medical institutions hold an extensive repository of sensitive personal data which should never get stolen or copied, therefore it is no wonder such organizations are among the most lucrative targets of cybercriminals focused on data theft and ransom extortion.

In April 2019, medical billing services provider Doctor’s Management Service, Inc. (DMS) from Massachusetts warned its patients that their data might have been exposed due to a breach in the company’s systems that had taken place two years ago. According to the statement issued by DMS, in April 2017 cybercriminals have injected malicious code into the servers of the company through which data has been stolen to be used for some future fraudulent operations. The breach was then discovered in December 2018 when the attackers deployed ransomware on a vulnerable DMS workstation through unprotected Remote Desktop Protocols. Further analysis showed that the type of ransomware that had locked the systems of the healthcare company is GandCrab, the most prolific malware threat of its kind.

This Week In Malware Episode 21 Part 3: GandCrab, REvil, Sodinokibi Ransomware Threats Remain Extremely Dangerous in Q4 2020

Though DMS refused to pay the required ransom and recovered the affected data from backups instead, the possibility that the cyber crooks have had access to stolen patient files cannot be ruled out. Also, in case the attackers copied the data before the encryption, it is very likely that they still possess personal patient information like Social Security Number, address, name, date of birth, medical information, including sensitive diagnostic information, driver’s license number, etc.

Databreaches.net, where the cybersecurity incident was reported, contains a full list of the medical institutions, hospitals, physicians, or other entities that have been clients of DMS and whose patients’ data might have been affected. DMS encourages patients to use a free credit monitoring service provided by the company. Credit monitoring does not provide protection against fraud though, so affected parties should also personally watch after their bank accounts and credit statements. Researchers remind that any stolen or copied data can be used in future campaigns, and sold to other hackers on underground hacking forums.

Following the breach, DMS has stated that it has taken appropriate steps to improve its network security and to limit access of foreign parties to its systems. Outside experts have also been engaged to help the company prevent any such occurrences in the future.