Cyber Incident Victim: Golden Optometric
Date:
Nov 2017
Location:
United States of America
Summary
Golden Optometric experienced a ransomware attack involving a CrySiS variant that encrypted files on its network server. The intrusion was detected within hours, and IT specialists confirmed no data exfiltration occurred. Compromised documents included patient names, dates of birth, medical record numbers, health insurance identifiers, provider details, visit purposes, blood pressure results, diagnoses, and correspondence with employers or schools. The organization removed affected files from local drives, migrated patient data to encrypted servers, and restored all impacted records from backups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 6, 2017, Golden Optometric's network server in California was compromised by a variant of the CrySiS ransomware virus. The attack occurred in the early morning hours, encrypting a limited number of files stored on local drives. The organization detected the intrusion within hours of its occurrence and immediately engaged IT specialists to assess the situation. Forensic analysis confirmed the network breach was brief in duration, with no evidence suggesting data exfiltration or theft of files. The ransomware's impact was confined to file encryption without unauthorized access to protected health information stored on encrypted servers.
The affected files consisted of government reporting documents, excused absence notices sent to employers or schools, and referral communications to other healthcare providers. These documents contained patient names, dates of birth, medical record numbers, healthcare provider names, dates of service, visit purposes, blood pressure test results, diagnostic information, and health insurance subscriber identification numbers. Golden Optometric initiated removal of all compromised files from local drives and transitioned patient-identifiable information to secure encrypted servers. The organization restored complete datasets from backup systems, ensuring operational continuity. Notification efforts began promptly after the incident confirmation, with ongoing outreach to affected patients continuing through at least December 2017 as part of their remediation process.