ABCD Pediatrics used its backup and recovery system to restore its data. But the practice can't confirm whether hackers responsible for the infection made off with private patient information.
Back in February, an ABCD employee discovered that ransomware was encrypting one of the practice's servers. The practice responded by contacting its IT service provider, who took ABCD's server offline for analysis. At that time, the provider detected Dharma, an updated variant of CrySis ransomware, on the company's system.
Fortunately, the pediatric practice and its IT service provider removed the threat from its server and retrieved clean versions of its digital files from its backup system. In the aftermath of the attack, the healthcare center instituted new security measures, including network monitoring for cyberthreats.
ABCD and its IT service provider quickly responded to the ransomware infection. But the attack may have been designed to cover up other malicious activities, like data theft.
"While ABCD’s IT company found no evidence that confidential information was actually acquired or removed from its servers and computers, it could not rule out the possibility that confidential information may have been viewed and possibly was acquired," a statement from the practice reads. "Importantly, ABCD cannot confirm with a high degree of likelihood that confidential information remained secure throughout this incident."
Specifically, the IT company discovered user logs suggesting an outside party accessed the server, which at the time of infection stored patients' sensitive information. It's possible those actors viewed that data and transferred copies of it to a server under their control.
Most ransomware strains including Dharma have not engaged in data exfiltration to date. That's because exfiltration capabilities tend to make malware heftier and more complex, properties that can make detection easier.
Want to learn more? Find out why healthcare centers are prime targets for ransomware attacks.