Cyber Incident Victim: Dr. Bilancione Dental Practice
Date:
Jul 2019
Location:
United States of America
Summary
A Maitland dental practice fell victim to a ransomware attack targeting its QuickBooks accounting files, which were encrypted alongside a demand for $10,000 that threatened to double every 48 hours up to $20,000. The attackers reportedly used a purchased exploit kit to identify businesses through their accounting software. While five months of financial records were compromised, patient data remained secure due to its storage on a separate, protected system. The incident highlighted the attackers' opportunistic approach focusing on business-critical files rather than medical information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 23, 2019, Dr. Carl Bilancione's dental practice in Maitland, Florida, experienced a ransomware attack that encrypted all QuickBooks accounting files. The attack manifested through a pop-up screen demanding an initial ransom payment of $10,000 in exchange for file decryption, with the threat that the amount would double every 48 hours if unpaid. Dr. Bilancione's IT personnel investigated the incident and determined the attackers used a pre-packaged hacking kit to infiltrate the system. Their targeting methodology appeared opportunistic, focusing on systems running QuickBooks software as an indicator of business operations. The encryption specifically affected five months of accounting records, disrupting financial operations. No evidence suggested the attackers exfiltrated data before deploying ransomware.
Patient medical records remained uncompromised during the incident due to their storage on a separate, secure system isolated from the affected accounting infrastructure. Dr. Bilancione publicly confirmed the integrity of patient data, emphasizing no health information was accessed or encrypted. The practice did not disclose whether the ransom was paid or if alternative recovery methods were employed. IT analysts concluded the perpetrators were not highly sophisticated actors but rather opportunistic attackers leveraging commercially available exploit kits. The incident highlighted operational disruptions to financial systems while underscoring the effectiveness of network segmentation in containing damage to non-critical systems.