On February 5, 2018, Partners HealthCare issued a press release that it would notify patients whose health information may have been compromised following a malware attack.
The health system noticed suspicious activity on May 8, 2017. They said that they “immediately blocked some of the malware.”
However, Partners HealthCare stated that systems were compromised between May 8, 2017, and May 17, 2017, which indicates that their initial efforts to block the malware were only partially successful.
Partners HealthCare hired outside forensic consultants to investigate the incident. Based on the investigation, they said the malware was “sophisticated.”
They also found data files on its network, presumably created by the malicious software. Reviewing these data files required extensive manual analysis which was completed during December 2017. The analysis identified PHI for approximately 2,600 patients in these files. Partners HealthCare stated that the patient information included “names, social security numbers, financial data, procedure type, diagnosis and medication.”
They did not say whether any data was exfiltrated. They did determine that this information was not extracted from its electronic record software, so presumably other systems were attacked.
Partners HealthCare stated that it is unaware of any incidents of improper use of patient information. However, they are offering affected patients free credit monitoring and insurance services.
Lessons from this attack include:
- Hospital systems face the threat of attack from actors using sophisticated malicious software. The sketchy facts in this case suggest explicit targeting of hospital applications.
- Organizations need to protect not only their flagship applications, such as the electronic record software, but the extensive array of other applications as well – including revenue cycle, lab information, pharmacy, imaging and others.
- The success of forensic investigations relies on best practices in secure configuration, especially the appropriate use of audit logging and protection of those audit logs. The incomplete information provided suggest that some of these audit logs may not exist.
Please see our post Preventing and Mitigating Ransomware Attacks for a more comprehensive list of best-practice measures to protect your organization.