Blue Springs clinic ransomware attack: 45K patients' data exposed

The family clinic notified patients about possibly compromised personal information

Blue Springs family clinic was affected by malware attack that allows hackers to access personal data of almost 45,000 users

Missouri family practice Blue Springs reported of a cyber attack that affected personal data of 44,979 people after cybercriminals gained access to clinic's databases and infected local systems with various malware, including ransomware. The personal information included full name, home address, Social Security number, date of birth, driver’s license number, account number, medical diagnoses, and disability codes.

Although Blue Springs found no evidence that the personal data was misused, the forensic examination confirmed that hackers were able to access personal information. Nevertheless, data breaches are organized for the purpose of harvesting data which can be later used for identity theft or sold on the Dark Web.^[1]

While an overall number of ransomware attacks is in decline and WannaCry and NotPetya^[2] are a thing of the past, high profile organizations should treat cybersecurity seriously, as proves recent malware attack on LabCorp^[3] – one of the leading blood testing laboratories in the US.

First sightings of ransomware were spotted in May 2018

According to the letter^[4] written by Blue Spring's Privacy Officer Melanie Peterson, the computer vendor spotted suspicious activity on the clinic's networks on May 12th, 2018. The attack turned out to be ransomware – a malicious program that affects several thousands of files on the computer and makes them inaccessible.

The company started the examination of the occurrence immediately and hired independent forensic investigators for help. The vendors determined that unknown hackers were able to load a variety of malware into the compromised Blue Springs computer system:

The investigation found indications that unauthorized persons had compromised the Blue Springs computer system and loaded a variety of malware programs, including the encryption program responsible for the ransomware attack. The investigation concluded the unauthorized persons would have had the ability to access all of the Blue Springs computer systems.

The company took steps to increase the security of networks used to store personal data

The healthcare provider took several cybersecurity measures in response to the cyberattack:

• A forensic group of investigators hired to conduct the research of the intrusion;
• The affected systems quarantined in order to avoid further unauthorized access;
• Software that monitors not sanctioned access installed;
• New firewall installed;
• A new electronic data storage provider that can encrypt stored data is being used.

Although Blue Springs Family Care claims that there is no proof that the information was misused, users who were affected should take appropriate measures to avoid severe consequences of a data breach. Melanie Peterson urged patients who were involved in calling credit bureaus:

Call the toll-free numbers of any of the three major credit bureaus (listed below) to place a fraud alert on your credit report. This can help prevent an identity thief from opening additional accounts in your name. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will automatically be notified to place alerts on your credit report.

As soon as the victims contact the appropriate organizations, a fraud alert will be placed on their credit report, which will help to prevent identity fraud.^[5] Blue Spring sincerely apologized for the incident.

Unfortunately, the leaked data is already gone, and there is nobody that can stop cybercriminals from abusing it. That brings up the question “Why can't companies and high-profile organizations take appropriate security measures before the breach occurs?”