GandCrab attack on Doctors’ Management Service exposed patient data

by Alice Woods - - 2019-04-29

Doctors Management Services disclosed GandCrab attack from 2017: customers' data compromised

GandCrab ransomware affected medical company back in 2017 The medical billing company discovered unauthorized access on the network back in December 2018. However, ransomware worked there from April 2017.

Unauthorized access was discovered in medical billing company's Doctors’ Management Service network back in December 2018 although the initial ransomware attack took place on April 1, 2017.^[1] Databreaches.net stated that the medical billing company from Massachusetts started informing its customers about what appeared to be a GandCrab ransomware attack.^[2]

The company is responsible for various healthcare regarded functions that include providing hospitals, doctors or physicians with protected patient information for 38 healthcare centers, including Today’s Wellness PLLC, Thompson Medical Associates, New England Community Medical Service, etc. DMS sent notices to patients and limited access to their internal networks as a precaution measure:

Since discovering the breach, we have changed our network security system to limit access to our systems from outside of our network and to improve our network security. DMS, in conjunction with outside information security experts, is working to help prevent similar occurrences in the future. We will also continue to educate our staff on cyber best practices.

During the initial attack, the malicious actors managed to compromise the company's internal networks by entering them via the RDP protocol. Upon discovery, the firm contacted forensic investigators who concluded that the culprit is GandCrab ransomware, which encrypted internal files.

GandCrab has been one of the most prolific crypto-malware families since its release. Nevertheless, security experts from Bitdefender are actively fighting the malicious actors and their illegal business, as the researchers already released three different tools^[3] that allow decrypting data for free. However, new decryptors simply prompt hackers to release new versions like GandCrab ransomware 5.3^[4] which are not decryptable.

The information theft by cybercriminals is not proven, although it is also not ruled out

As DMS informs, the incident exposed various patients' data including names, addresses, dates of birth, insurance information, driver’s license numbers, and Social Security numbers.

Based on the official Notice of the breach^[5], on February 15, 2019, the final investigation report showed that there is still a question if hackers accessed patients' data on the server or not during the incident. Timothy DiBona, CEO of Doctors' Management Service stated:

On February 15, 2019, our forensic investigator reported that while the investigation could not determine whether personal health information was actually viewed or downloaded that type of activity could not be ruled out. In an abundance of caution a thorough review of all information maintained by DMS in the impacted server at the time of the incident was performed to identify any personal information present.

Additionally, Doctors’ Management Service refused to pay the ransom and decided to retrieve all the encrypted data via backups.

Stolen or copied data can be used in later campaigns

The Massachusetts medical billing company manages hospitals and physicians' services like New England Community Medical Services, AT Care, Holy Family Medical Specialty and many more institutions that were impacted by the data breach. Doctors Management Services' officials say that the technical issue with their network was discovered right before Christmas in 2018 and the investigations were launched with the help of forensic investigators.

Since the analysis was completed in February this year, there is no guarantee that the patients' details will not be used in future hacking campaigns.^[6] The official notice doesn't indicate the number of affected patients, and there is no information on how many patients have been informed about the data breach.

Doctors Management Services noted that the affected users should take appropriate steps to protect themselves from identity fraud or theft by monitoring their bank statements, credit card reports, as well as an explanation of benefits (EOB) forms. If any suspicious activity is noticed, DMS recommends contacting appropriate law enforecement agencies to deal with the situation.

About the author

Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions

References

^ Filip Truta. GandCrab ransomware claims another healthcare firm. Securityboulevard. Source for news, analysis and education on cybersecurity issues.
^ MA: Medical billing service notifies patients of ransomware incident. Databreaches. The office of inadequate security.
^ Anthony Spadafora. GandCrab decryption tool released. Techradar. The source for tech buying advice.
^ Jake Doevan. Gandcrab 5.3 ransomware – crypto malware that continues encrypting users' files and demanding ransom for the decryptor. 2-spyware. Spyware related news and virus removal guides.
^ Doctors' Management Service. Doctorsmanagementservice. Practice management solutions.
^ How hackers leverage stolen data for profit. Trendmicro. Simply security blog.