A ransomware attack hitting several computer systems at the Brooklyn Hospital Center in New York caused permanent loss of some patient’s data.
The hospital tried to recover the data but all efforts were in vain. This indicates that a ransom for decrypting the files was not paid.
Medical records unrecoverable
The attack occurred in late July but the hospital acknowledged it publicly only last week, following what the institution calls “an exhaustive investigation,” and after undertaking “diligent remediation efforts.”
Attempts to recover the encrypted records, however, remained fruitless, the hospital informs in a public notification. Not all patients are impacted by the incident but there is no estimation on how many are.
“On September 4, 2019, the investigation confirmed that due to the malware, and despite exhaustive efforts by the Hospital to recover the data, certain patient data was unrecoverable.”
The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.
Ransomware attacks are about encrypting information, not stealing it, and asking for money in exchange for the decryption key.
In this case, the hospital did not provide any details about the ransomware strain used in the attack or the money demanded by cybercriminals.
Backup is the first line of defense
While the notification to patients indicates that the hospital did not give in to the criminal demands, which is recommended by both the infosec community and law enforcement, it also suggests that Brooklyn Hospital Center did not have a proper backup system implemented.
Medical information is important enough to have safe copies as disaster can take multiple forms, not just ransomware; a malfunctioning computer system can corrupt data or a storage drive may fail.
Organizations handling sensitive information should be prepared for such scenarios and have a backup procedure to keep everything safe.
Defending against ransomware, though, is not the same as protecting against software and hardware failures, though, and access to the backups should be tightly controlled so that malware does not reach them.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.