Patient data stolen from an Oregon healthcare provider during a cyber-attack has been recovered by the Federal Bureau of Investigation (FBI).
The personal health information (PHI) of approximately 750,000 patients of Oregon Anesthesiology Group (OAG) was compromised in the summer.
Cyber-criminals gained access to the group’s IT system on July 11 and deployed ransomware that encrypted the contents of certain files. As a result of the attack, staff at the healthcare provider could not access patients’ data or the group’s servers.
OAG hired a digital forensics firm to investigate the attack. The cybersecurity experts determined that the attackers had accessed data belonging to 522 current and former employees, as well as sensitive information belonging to patients.
Areas of the network impacted by the attack contained files in which names, addresses, dates of service, diagnosis and procedure codes and descriptions, medical record numbers, insurance provider names and insurance ID numbers were stored.
Employee data that could have been compromised included names, addresses, Social Security numbers, and additional information declared in W-2 tax forms.
Following the attack, the group restored its systems from off-site backups and rebuilt its IT infrastructure from the ground up. In the fall, the FBI contacted the healthcare provider, with OAG sharing information on how the cybercrime was executed.
“On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files,” stated the group in a data breach notice issued earlier this month.
“The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network.”
A cyber forensics report obtained by OAG in late November stated that the cyber-criminals used their access to the healthcare provider’s IT system to data-mine the administrator’s credentials and access OAG’s encrypted data.
Since the attack, OAG has replaced its third-party firewall and expanded multi-factor authentication. The group has also engaged a third-party vendor to provide around-the-clock real-time security monitoring with live response, advice on security system architecture, and additional compartmentalization of sensitive data.