Cyber Incident Victim: Fetal Diagnostic Institute of the Pacific
Date:
Jun 2018
Location:
United States of America
Summary
A ransomware attack compromised a server at the Fetal Diagnostic Institute of the Pacific, encrypting files including patient medical records. While forensic analysis found no conclusive evidence that hackers accessed or stole protected health information, the possibility could not be entirely ruled out, prompting treatment as a HIPAA breach. The incident potentially exposed names, addresses, dates of birth, diagnoses, account numbers, and other sensitive data for approximately 40,800 patients, though no financial information was affected. The organization engaged cybersecurity experts to remediate systems, eradicate malware, and restore encrypted files, implementing enhanced security measures post-incident. Affected individuals were notified and advised to monitor for suspicious activity, with regulatory authorities informed. The entity maintains no lasting system compromises and anticipates no patient harm from the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 30, 2018, the Fetal Diagnostic Institute of the Pacific (FDIP), a Honolulu-based healthcare provider, experienced a ransomware attack targeting its servers. Malicious file-encrypting software was uploaded to an FDIP server, resulting in the encryption of multiple file types, including patient medical records. FDIP engaged a leading cybersecurity firm to conduct a comprehensive breach review, assess potential patient data access by attackers, and assist with remediation efforts. The forensic investigation failed to identify conclusive evidence that hackers accessed, viewed, or exfiltrated protected health information (PHI), though investigators acknowledged they could not definitively rule out data access or theft. Consequently, FDIP classified the incident as a HIPAA breach and initiated mandatory notifications.
Analysis of the encrypted files confirmed they contained PHI such as patients' full names, home addresses, dates of birth, account numbers, diagnoses, and unspecified additional information categories. Financial data remained unaffected. FDIP reported the breach to the Department of Health and Human Services' Office for Civil Rights (OCR), disclosing that 40,800 current and former patients were impacted. The organization executed immediate containment measures, eradicating all malicious software, restoring encrypted files from backups, and verifying the elimination of malware traces across systems. FDIP implemented enhanced security protocols to prevent future breaches and unauthorized PHI disclosures. While asserting no patients were likely to experience harm, FDIP advised affected individuals to report any suspected breach-related suspicious activity. This incident marked the fifth ransomware attack exceeding 500 records reported to OCR by a Hawaii-based entity since 2009.