When Ransomware Strikes Twice - or Impacts Emergency ServicesLessons Learned From Attacks in Texas, Tennessee
Recent ransomware attacks against a healthcare provider in Texas and police and fire departments in Tennessee spotlight the importance of keeping an eye out for multiple attacks happening simultaneously and having disaster recovery plans in place - especially for emergency services.
Walnut Place, a Dallas-based provider of rehabilitation, skilled nursing and assisted living services, says that it was hit in May with a second ransomware attack while it was still investigating an earlier ransomware attack that was remediated in February.
Meanwhile, in a separate incident in Tennessee, the city of Murfreesboro's police and fire departments say they were recently attacked by ransomware suspected as potentially being a version of the WannaCry malware that wreaked havoc globally this spring. While emergency services are still being operated, the ransomware has left data on 19 PCs irretrievable, the police department says.
Walnut Place - which is managed by Life Care Services, a national provider of skilled nursing and senior living facilities - says that on March 13, its leadership was informed that a ransomware attack occurred on or around Jan. 25 and was remediated on Feb. 2.
"While investigating this incident, Walnut Place was affected by another ransomware attack on May 6, 2017, and discovered it that same day," the provider says.
So far, Walnut Place's investigation has found no evidence that any information was taken from the affected systems in the latest incident. "However, Walnut Place determined that unauthorized individuals had accessed Walnut Place's systems and that certain personal information could have been accessed."
The systems that were impacted by this latest incident contained names; Social Security numbers; driver's license numbers; dates of birth; addresses; telephone numbers; medical record numbers; payment information - such as banking and credit card information; health insurance information; and clinical/diagnostic information for Walnut Place patients and residents, the organization reports.
Walnut Place says it has no evidence of any actual or attempted misuse of information as a result of this incident, but it's notified the FBI about the attack.
According to an entry on the Department of Health and Human Services' so-called "wall of shame" web portal listing health data breaches impacting 500 or more individuals, Walnut Place reported a breach to HHS on May 12 as a hacking/IT incident on a network server impacting 5,000 individuals.
Information Security Media Group's request for comment by Walnut Place was passed on to Life Care Services, which did not immediately respond.
It's not uncommon for organizations to discover additional intrusions and breaches while investigating other security incidents, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"This is because those others discovered after ransomware is known have gone unnoticed; sometimes for weeks, months, or even years," she says. "And, since most organizations do not do frequent enough risk assessments or audits, those issues can go for a long time before anyone is aware that someone has been into the systems from the outside, or that an insider has been abusing his or her access to breach data."
Organizations that discover a breach should always consider that it's "a possibility that multiple breaches are occurring."
If an organization's network, systems and applications have been compromised once, "then certainly those vulnerabilities, along with the constant barrage of threats against your networks and systems, may have already been compromised before you noticed. Always start from the assumption that you are investigating one or more breaches, then determine through your response activities and forensics work the true number of actual breaches," she says.
While Walnut Place deals with its recent attacks, the fire and police departments of Murfreesboro, Tenn., are recovering from a recent attack they believe involves a Wannacry ransomware derivative.
In a statement to ISMG, the Murfreesboro police department says its IT department became aware of the attack on July 1 and responded by taking its systems offline for an unspecified amount of time.
James Durr, chief of the Murfreesboro Police Department, says: "Our IT department has isolated 19 computers out of the 400 between Murfreesboro Fire Department and Murfreesboro Police Department, which were affected by the ransomware, as well as two servers. IT is continuing to evaluate and assess our infrastructure to ensure that we have contained any potential for a further spread and working to bring the servers back online."
The departments have been in contact with the FBI. "We want to make sure our community is aware that our communications center is receiving emergency and non-emergency calls for police and fire rescue and calls for service have not been interrupted since the ransomware attack on July 1."
The police department in a separate statement also said its IT department believes the data on most of the 19 affected PCs is not retrievable.
Although the Wannacry malware assaults were first reported by other organizations across the globe in May, "we believe we were attacked by a different morphed version," the police department says.
The police department did not comment on whether a ransom was demanded or paid.
Herold says that while all organizations should take steps to prevent becoming victims of ransomware attacks, "it is particularly important for a healthcare emergency provider to be on top of these actions, given the significant impact it can have to the physical safety and well-being of patients."
Steps organizations need to take to prevent falling victim to ransomware and other cyberattacks include:
- Making regular and complete backups of all data and software on a separate storage device that is not attached to their network or computer;
- Regularly testing a documented business continuity plan and disaster recovery plan;
- Constantly updating anti-malware programs;
- Training and regularly reminding staff and contractors how not to fall victim to phishing or other scam attempts.