It’s nice to read a notification where an entity had good defenses in place. Consider this notification from Golden Optometric in California:
Early on the morning of November 6, 2017, the network server at Golden Optometric was infected with a variant of the “CrySiS” ransomware virus, which encrypted a limited number of files on its local drives. We discovered this attack within hours of its occurrence and promptly engaged IT specialists to evaluate the situation. The IT specialists determined that the network intrusion was brief and that there was no evidence that any files had been removed.
Since that time, we have been working diligently to identify and contact those patients with information affected by the incident.
What Information Was Involved?
Based upon our investigation, we determined that the affected files included government reporting documents, excused absence letters to patients’ employers/schools, and letters we send to other health care providers when we refer our patients to other providers for care or treatment. These documents generally included patient names, dates of birth, provider names, dates of service, purpose of the provider visit, blood pressure test results, diagnoses, medical record numbers, and health insurance subscriber identification numbers.
Importantly, the ransomware did not affect any of the electronic health records we maintain and no Social Security number, bank account information, credit card information, financial account information, or drivers’ license number of any patient was impacted. Please note that all of our electronic health records are maintained on secure, encrypted servers.
Ok, so it wasn’t perfect, but what is? Considering what we usually see, this is certainly a cut above the rest, isn’t it? And they’re not resting on any laurels. Look at their response/follow-up:
We have removed all affected files from our local drive and we now maintain all of our patient- identifiable information on secure, encrypted servers. We have also recovered complete and accurate copies of all affected files through our data back-up systems.
Color me impressed.
“Secure” is a relative term. How do they define it?
The ransonware was executed by a valid, authorized account holder. That account most likely had significant access to their “secure, encrypted servers.”
That said, ransomware usually doesn’t also exfiltrate data, so the risk data was copied is probably pretty minimal.