Ransomware attack at Wolfe Eye Clinic
by Kapua Iao
Wolfe Eye Clinic is yet another healthcare provider that became a victim of a data breach. As a network of eye health clinics based in Iowa, Wolfe Eye Clinic provides professional care in the specialties of ophthalmology and optometry.
The consequences of such attacks can be disastrous not only to patients but also to healthcare providers that want to avoid HIPAA violations.
RELATED: HIPAA stands for . . .
On February 8, 2021, Wolfe Eye Clinic’s IT security team noticed unusual activity from a third party trying to gain access to the network. A recent press release from Wolfe Eye Clinic provides the details.
Staff moved quickly to secure the network and launch an outside investigation. Given the complexity and scale of the cyberattack, the clinic did not realize the full impact until May 28; the investigation itself concluded on June 8.
The hacker used ransomware to access, encrypt, and most likely steal the clinic’s data. This includes the protected health information (PHI) (such as names, addresses, dates of birth, and Social Security Numbers) of approximately 500,000 individuals. And for some, medical and health information.
RELATED: Is a name PHI?
The cyberattacker demanded a ransom for a decryption key, but the clinic refused to pay. Instead, Wolfe Eye Clinic opted to use its backup systems to recover its data.
Surprisingly, this cyberattack is not the most extensive on HHS’ Office for Civil Rights (OCR) Breach Portal.
Wolfe Eye Clinic is listed as a Hacking/IT Incident affecting 527,378 individuals. The highest number of affected is Florida Healthy Kids Corporation with 3.5 million listed.
RELATED: What is HHS’ Wall of Shame?
A ransomware epidemic
Ransomware attacks have become so common that the U.S. government released several statements, calling these incidences a ransomware epidemic. The Department of Justice even elevated ransomware attacks to terrorist attacks.
Ransomware is malware (malicious software) used to deny a victim access to a system until a ransom is paid. A simple click can give a hacker access to data for encryption, exfiltration, and ransom.
While Wolfe Eye Clinic is unsure if its data was exfiltrated first, stealing and double extortion are all too common nowadays.
The healthcare industry is one of the most targeted sectors for ransomware attacks because of costs related to PHI exposure and the urgency of restoring service since patient care may hang in the balance.
Whether or not to pay after a ransomware attack is a question debated daily.
To pay or not to pay
Most hackers believe that healthcare provides will pay to retrieve stolen PHI and/or to get back into their systems. Especially during a health crisis.
Officials, however, insist it is not good business to pay a ransom. FBI Director Christopher Wray recently stated:
Our guidance to industry is not to pay the ransom. And there’s a whole host of reasons for that. I understand it’s a difficult decision for victims to make, but the most important thing is that they reach out and connect with law enforcement . . . as quickly and transparently as possible.
While there are some short-term advantages to paying a ransom, the benefits are not always guaranteed or cost-effective.
|Possible Benefits||Possible Problems|
|Decryption key provided||Time-consuming negotiations|
|Data deleted by hackers||Data released by hackers (before or after ransom paid)|
|Shorter data recovery time||Fake decryption key provided|
|Data traded, sold, or held|
|Demand for more money|
|Word spread about willingness to pay|
Colonial Pipeline recently paid its cyberattacker nearly $5 million to recover its system after a ransomware attack. But a good outcome is not always the case.
According to recent research, nearly one-fifth of victims who pay fail to get their data back.
Governments worldwide have yet to ban ransomware payments altogether. They would rather strongly discourage it out of concern that organizations may stop reporting incidences if banned.
An alternative solution: strong cybersecurity
Rather than pay a ransom, organizations should concentrate on strengthening cybersecurity. Prevention and preparation are vital in combatting cyberattacks.
And for healthcare providers, that means following HIPAA guidelines and ensuring compliance using a multilayered approach to security.
First and foremost, healthcare organizations must begin with a solid business continuity plan along with proper backup and recovery processes in case of a breach.
The fact that Wolfe Eye Clinic utilized separate backups made its recovery time short, though the clinic did not release information about its recovery process.
Second is the use of regular and up-to-date employee awareness training along with solid administrative, technical, and physical safeguards such as:
- Access controls
- Antivirus and antimalware software
- Endpoint security
- Network segmentation
- Prompt patches and updates
Paubox Suite Plus—vital email security
Email communication remains the most utilized threat vector to gain access to a network, which is why strong email security is required to prevent ransomware attacks.
Paubox Email Suite Plus provides both inbound and outbound email protection, including our patented ExectProtect feature, which stops display name spoofing emails from ever reaching an inbox. It also comes with Zero Trust Email, which requires an additional layer of proof of legitimacy before delivering an email.
Our solution enables HIPAA compliant email by default, ensuring messages and patient information are safe from breaches. Our HITRUST CSF certified software assures Paubox customers that all PHI remains protected.
The best tactic is a zero-trust approach in which every person and every device that accesses a network is a potential threat. Rather than deal with the consequences of a breach and possible HIPAA violation, secure your healthcare organization and patients’ PHI today.