I’ve been meaning to comment on media coverage of the breach involving The Surgeons of Lake County. While I’m glad my blog entry was able to bring it to the mainstream media’s attention, I was concerned to see some sites and professionals I respect treat it as either a novel crime or as part of a growing trend. Extortion demands are not novel to anyone who’s followed data breaches over the years, and less than half a dozen reported cases spread over 9 years do not constitute a trend for the healthcare sector.
Here’s a chronological listing I’ve compiled of some publicly disclosed healthcare-related breaches involving extortion or ransom demands:
2003:
- A Pakistani clerical worker to whom University of California, San Francisco Medical Center patient records had been outsourced for transcription threatened to upload confidential medical files to the internet unless she received money.
- Two employees of an outsource transcription service in Bangalore demanded unreported concessions or they would upload confidential files from Heartland Information Services in Ohio.
2006:
- A burglary at Medical Excess LLC, a unit of AIG, resulted in the theft of 970,000 patients’ information from the medical underwriter’s office. The company subsequently received an extortion demand to pay $208,000 or the data would be released on the Internet. In 2008, the FBI arrested Kevin Michael Stewart. At the time of the burglary, Stewart was an employee of Eagle Trident Security, the firm that provided building security for Medical Excess.
Note that these first three incidents all involved employees of contractors or subcontractors and not external hacks or ransomware.
2008:
- Express Scripts notified approximately 75 people after it received an extortion demand from someone who had provided them with 75 patients’ records as proof. Refusing to pay, the firm went public with the situation. In September 2009, after the FBI informed them that there was proof that over 700,000 patients’ records had been acquired, they notified the additional individuals. There was no further update from Express Scripts after that time.
An article in November 2008 was headlined, “Is Medical Record Blackmail a Trend to Come?” To this day, there has been no arrest in this case and Express Scripts will not say whether insiders have been ruled out as a source of the breach.
2009:
- The Virginia Prescription Monitoring Program received an extortion demand for $10 million. The individual claimed to have hacked the database and acquired 8,257,378 patient records and a total of 35,548,087 prescriptions. The hacker also claimed to have created an encrypted backup and to have deleted their files. The ransom would presumably buy them the password to get back into their files. If they didn’t pay the ransom, the hacker indicated the records would be put up for sale on the open market. There was never any indication that happened after the state said it would not pay the ransom. This breach is remarkably like The Surgeons of Lake County incident. An article in June 2009 was headlined, “Ransoming data: The new weapon of choice for cyber criminals?”
- The Texas Tribune reported that the state and FBI were investigating whether or not the Texas Cancer Registry had been hacked and if a ransom demand they received was a hoax or real. No further statement was ever made to the public or media and the registry did not respond to an e-mail inquiry from this site requesting a follow-up.
2011:
- Xavier University received an extortion demand for $20,000 after the extortionist found documents containing detailed medical records of some of the college’s athletes. Thanks to the stupidity of the extortionist, he was caught relatively easily. I include this case because although it involves paper records, it was an extortion demand.
- The Surgeons of Lake County in Illinois notified patients of an extortion demand after a hacker encrypted their server and demanded payment to unlock it.
Obviously, I may have missed some relevant incidents that had been reported in the media and there are probably many more that we never hear about – especially if the organizations paid the ransom. But seriously, do the publicly reported incidents support any claim about a “growing trend” or a “novel new approach?”
Put simply, I don’t think they do.
Could this type of situation become a trend? Yes, but there’s simply no compelling evidence that there is a trend at this time.
And while the ransom attempt attracted mainstream coverage as it makes for sexy news reporting, another larger breach I noted in the same blog entry did not generate as much public notice even though it actually affected patients. The breaches recently reported by Memorial Healthcare System and Florida Hospital both demonstrate that despite HIPAA and HITECH, the healthcare sector still has not adopted adequate security measures to prevent or promptly detect insider breaches. And that’s where I think we should be focusing our discussion and efforts: reducing the insider threat while hardening our firewalls and protection from external threats.