Cyber Incident Victim: Emory Healthcare
Date:
Dec 2016
Location:
United States of America
Summary
A misconfigured MongoDB database containing sensitive patient information from Emory Brain Health Center was hijacked and held for ransom by a hacker demanding payment in Bitcoin. The exposed data included names, medical record numbers, addresses, birth dates, email addresses, and cellphone numbers across multiple datasets, initially estimated to impact approximately 200,000 unique patients but later revised to around 90,000. The database, managed by a third-party service provider rather than Emory directly, was restored from backups without ransom payment. The incident occurred amid a widespread wave of similar attacks targeting unsecured MongoDB instances, though no evidence confirmed data exfiltration beyond deletion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 30, 2016, MacKeeper Security Research Center identified a misconfigured MongoDB database linked to Emory Brain Health Center through the domain clinicworkflow.org, which was registered on November 13, 2016. The exposed database contained hundreds of thousands of patient records across four folders: "Clinicworkflow" (6,772 records with medical record numbers, addresses, birth dates, and names), "Orthopaedics" (31,482 records with names, medical record numbers, addresses, and email addresses), "Orthopaedics2" (157,705 records with cellphone numbers, names, addresses, and emails), and "Orthoworkflow" (168,354 records with cellphone numbers, names, birth dates, addresses, and emails). Timestamps indicated data spanned 2015–2016, and an "admins" folder included Emory Healthcare employee email addresses. MacKeeper estimated approximately 200,000 unique patients were affected due to overlapping records in the latter folders. By January 3, 2017, the hacker group Harak1r1 had wiped the database and replaced it with a ransom note demanding 0.2 BTC (approximately $200–$220) for data recovery. This attack was part of a broader wave targeting misconfigured MongoDB instances, with nearly 2,000 databases compromised by January 3 and over 3,500 by January 4.
Emory Healthcare confirmed on January 10, 2017, that the breached database was hosted by a third party and used by clinics to expedite patient flow. They stated it contained limited information for approximately 90,000 patients, excluding Social Security numbers, financial data, or medical records, and did not disrupt care. Emory restored the database from backups and did not pay the ransom. The third party, later identified as Waits & Delays, had its security intrusion rectified immediately after detection. Emory’s investigation remained ongoing as of January 11, with no confirmation of whether data was exfiltrated or solely deleted. Globally, MongoDB ransomware attacks escalated dramatically, affecting over 32,000 databases and wiping 114TB of data by January 11. A new ransom variant threatened public data leaks, though researchers found no evidence attackers retained stolen data. The incident was reported to HHS as impacting 79,930 individuals. Clinicworkflow.org’s registrant never responded to inquiries, and Emory declined to confirm its role.