The Ugly Version of Ransomware
As hackers are discovering that some organizations are opting to not pay the ransom after a ransomware attack, either because they have backups or they do not want to support criminals, the criminals are changing tactics – something we warned about months ago.
In this case, CarePartners, a home healthcare service provider in Ontario announced last month that it had been breached. At that time it said that personal health and financial information of patients had been inappropriately accessed and nothing more.
This is where the ugly starts.
Since CarePartners was managing spin and, apparently, not telling the whole story, the hackers reached out the CBC News and spilled the beans.
They provided a sample of the data that was involved in the ransom and said that they were going to release it if the ransom was not paid. Of course, there is no way to know if they will release it, even if the ransom is paid.
The “sample” includes thousands of patient medical records with phone numbers, addresses, birth dates, health ID numbers, detailed medical conditions, diagnoses, surgical procedures, care plans and medications.
Other documents shared include credit card numbers and related information.
Now CarePartners says the breach could affect up to 237,000 patients.
Since this particular ransom attack took place in Canada, the penalties would be governed by PIPEDA, the Canadian privacy law, which is pretty tough.
What does this mean for you?
First, you should plan for the worst case situation of a ransom attack where the attacker says that if you don’t give us the money, we are going to release your data publicly. OUCH!
Second, be ready to figure out what the attackers took. A month after the attack, CarePartners said that they have identified 627 patient files and 886 employee records that were accessed, but the “partial” data provided to CBC News contained 80,000 records. HUH?!
Next, apparently, the servers did not have current patches installed. They were two years out of date.
And then, the data was not encrypted.
When CBC News contacted some of the people matching the records that the hackers gave them, they said they were patients of CarePartners, but had not been contacted by them.
CarePartners is working with the Herjavec Group (as in the guy on Shark Tank and yes, they are a legit and well known security company).
CarePartners said that they take security seriously and they have outsourced their IT to someone else. Apparently that third party isn’t doing a very good job and CarePartners will get to pay the fine, deal with the lawsuits and have their reputation damaged. In their case, they are a contractor to the local government, so they could have their contract cancelled as well. Remember, you can outsource the responsibility but you cannot outsource the liability, so make sure that you are effectively managing any third parties that claim to be taking care of your security.
Lets assume this breach costs CarePartners a couple of million dollars, which is reasonable. They need to make sure that they can afford to pay that bill and that their outsource security provider can reimburse them for that cost – hopefully, in both cases, through adequate insurance.
Information for this post came from CBC News.