Hackers Hold Australian Medical Records Ransom

Health Data Security: Tips And Tools

An Australian medical clinic's patient records have been forcibly encrypted by attackers, who are demanding $4,200 to decrypt the data. The Miami Family Medical Center, located in the Australian state of Queensland, has taken the encrypted drive offline and refused to pay the ransom demand.

Australian news reports have suggested that Russian hackers are behind the ransom demand, but exactly how they cracked the clinic's network remains unclear. "We've got all the antivirus stuff in place -- there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software," clinic co-owner David Wood told Australia's ABC News.

But keeping the clinic running smoothly has been "very, very, very difficult" since the thousands of patient records are now inaccessible, he said. "What medication you're on can be retrieved from the pharmacists [and] pathology results can be gotten back from pathology," he said.

Information security expert Nigel Phair, who's the director of Australia's Center for Internet Safety, told ABC News that the attacker's low ransom price reflects a high-volume business model, in which hackers will hold as much data for ransom as possible, and set a price that they think the majority of victims will pay.

[ Social engineering is the oldest trick in the book. See Royal Security Fail: 'May I Speak To Kate?' ]

Security experts have been warning that small and midsize businesses are especially vulnerable to these types of ransom demands. Any business that suffers this type of exploit would typically also be legally required to issue data breach notifications to all of their customers or patients, since their records would have been breached.

While numerous data breaches -- including those perpetrated by self-described hacktivist groups -- have involved leaked medical records, ransoming the data is a less well-known occurrence. "It really is not much of a surprise, or it shouldn't be, that some criminals have developed ways to profit from the same sort of hacker activity," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. "Is this the beginning of a trend which we'll see outside of Oz in 2013?"

This isn't the first such attack against Australian businesses. In September, Queensland police issued a warning that two small businesses had been recently targeted by attackers using ransomware. All of the businesses' customer records were forcibly encrypted by attackers, who then sent ransom notices via email to the affected companies.

Those businesses appeared to have been exploited via drive-by attacks, launched by websites that had been compromised by attackers. "At this stage it appears that infected websites are responsible for the problem. When this is combined with older or insecure Web browsers or poor network security, companies are essentially leaving the door open for these viruses," said detective superintendent Brian Hay in a statement released at the time. He recommended that any businesses affected by such an attack not respond to the ransom emails, but instead contact police for assistance.

In the case of the medical center, paying the attackers' ransom demand may be the only way to recover the data, since forcibly decrypting it may be impossible, said Phair. Then again, paying the ransom might only see the attackers decrypt a fraction of the data, and then require further payments for each additional batch.

Wood, the medical center's co-owner, said one lesson he's learned is to ensure that not all backups are network-connected. "Check your IT security and don't leave backups connected to servers," he said. Arguably, if his facility had put a disaster recovery plan in place that included offsite backups, it would have avoided the situation it's in now.

While the Australian ransom demand targeted a medical facility, there's also been an increase this year in ransom-style attacks targeting consumers. Last week, the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center, reissued a warning about the Raveton malware, which automatically locks an infected PC and issues a fake notice from the FBI demanding users pay a fine to regain access.