More than 131,000 patients of Brandywine Urology received dismal news last April: a large-scale ransomware attack compromised patients’ protected health information (PHI), including their contact details and other extremely sensitive pieces of personal information.
What is Brandywine Urology?
Brandywine Urology Consultants is a private practice that specializes in the treatment of urological conditions. Established in 1987, Brandywine Urology serves patients in Delaware, Maryland, Pennsylvania, and New Jersey.
What is a ransomware attack?
A ransomware attack involves hackers using malicious software (malware) that is designed to hold a computer system or network hostage until the affected organization pays a ransom. Ransomware attackers often target companies that keep sensitive information on hand, such as government entities and healthcare organizations.
A ransomware attack can shut down the network, deny access to users, encrypt critical files on a device, or use some other type of threat to coerce a payment in exchange for file decryption. There have been hundreds of millions of ransomware attacks in recent years, with no signs of slowing down.
If the targeted organization refuses to meet the attacker’s demands or fails to remove the malware, the attacker may then leak or sell sensitive and confidential information.
Even after a ransomware attack is successfully eliminated, it is still possible that sensitive data has been compromised and could be leaked.
What happened at Brandywine Urology?
On January 27, 2020, Brandywine Urology discovered a ransomware attack on its network. The attack had started two days prior over the weekend. You can read Brandywine’s official disclosure here.
The hackers intended to cripple Brandywine Urology’s network, servers, and devices so they could demand a financial payment in exchange for control of the network.
The attackers gained access to sensitive patient PHI, which possibly included:
- Contact information
- Social Security numbers
- Medical file numbers
- Claims data
- Financial data
Brandywine Urology was able to swiftly isolate the threat and avoid paying the ransom. The company also confirmed that hackers did not gain access to the practice’s electronic medical record system.
However, the damage from the data breach was still severe as patients’ data was put at risk.
How did Brandywine Urology respond to the attack?
After Brandywine Urology discovered the breach in its network, it worked swiftly to isolate the attack and slow down the intrusion as quickly as possible. Once it removed the threat, it ensured every trace of malware was removed from the system.
Brandywine also hired a security IT firm to investigate what information was compromised. The IT firm believes that the automated cyberattack’s goal was to encrypt data and extort financial payments from the practice, rather than to steal sensitive data.
Brandywine Urology replaced its central server and replaced all of the affected devices. It installed an updated antivirus program, and the company continues to work with the security firm to increase its data security defenses.
In April 2020, Brandywine Urology reached out to 131,825 patients whose data was potentially put at risk. The practice urged patients to obtain a copy of their credit reports, change account information with financial institutions, change their passwords, and monitor for fraud or identity theft alerts on their accounts.
How did the ransomware attackers gain access to Brandywine Urology’s network?
Brandywine Urology did not confirm how exactly the hackers gained access to its system. However, it’s likely that the attackers used a Trojan disguised as a legitimate file to trick someone into opening or downloading a file in an email attachment.
This kind of email phishing attack has become more common over the years. It’s especially critical that healthcare providers remain vigilant and take every possible step to protect their patients’ data.
Prevent ransomware attacks with Pauxbox
The ransomware attack on Brandywine Urology is unfortunately not an uncommon incident.
There are steps healthcare providers can, and should, take to avoid becoming victims of similar attacks. Not only do these security breaches open up patients to identity theft, but they are HIPAA violations.
One way healthcare providers can protect themselves is by training employees to recognize phishing emails, ransomware attacks, and other malicious spam. Employees are often one of the weakest points in an organization’s security system and effectively training them can prevent attacks from happening in the first place.
However, human error is never 100% avoidable. Healthcare providers can also utilize technical safeguards for their electronic communication. Paubox Email Suite Plus enables you to send HIPAA compliant email by default from your existing email clients, such as Google Workspace or Microsoft 365. Patients receive your messages directly in their inboxes, no passwords or portals required.
Paubox Email Suite Plus also comes with inbound email security features to protect patient data from ransomware attackers and other malware.
Keep your patients safe and your company protected by using encrypted HIPAA compliant email with inbound security.