Cyber Incident Victim: Bryan County Ambulance Authority
Date:
Dec 2021
Location:
United States of America
Summary
A ransomware attack targeted a third-party electronic medical records vendor serving multiple healthcare providers, leading to unauthorized access and deletion of patient databases. The incident involved potential exposure of patient data, though no evidence of data theft was confirmed during the ongoing investigation. Affected providers experienced delayed breach notifications beyond regulatory timelines, with one entity advising patients to monitor for identity theft risks. The vendor faced prior lawsuits alleging system outages and insider threats linked to previous cyberattacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Bryan County Ambulance Authority (BCAA) in Oklahoma experienced a significant cyber incident that affected approximately 14,000 patients. The attack, which was a ransomware incident, compromised the confidentiality, integrity, and availability of the organization's data. The incident was discovered on November 24, and the BCAA immediately took steps to mitigate the impact. The attack involved the encryption of files stored on the network, leading to the temporary disabling of all network access and the subsequent restoration of the encrypted data.
The ransomware attack began when an unauthorized actor gained access to the BCAA's network and deployed malware that encrypted critical files. This encryption rendered the data inaccessible, disrupting the normal operations of the ambulance authority. The BCAA's IT team quickly identified the attack and responded by disabling all network access to prevent further damage. This immediate action was crucial in limiting the scope of the attack and preventing the spread of the malware to other systems within the network.
Following the initial response, the BCAA brought in an external cybersecurity firm to conduct a thorough investigation. The investigation aimed to determine the extent of the breach, identify the specific data that was compromised, and assess the potential impact on patients. The forensic team conducted an extensive review of the network logs, file systems, and other relevant data sources to piece together the sequence of events leading up to and during the attack. This process was time-consuming and required a detailed analysis of the network infrastructure and security measures in place.
The investigation revealed that the attacker had gained access to the network and began encrypting files on November 24. The encryption process lasted for several hours, during which the attacker targeted key files and systems. The BCAA's IT team detected the attack and immediately took steps to isolate the affected systems and prevent the encryption from spreading further. Despite these efforts, a significant amount of data was encrypted, including patient records, internal documents, and operational data.
The BCAA's response to the attack included a multi-faceted approach to restore normal operations. The first step was to restore the encrypted data from backups. The IT team worked around the clock to ensure that the data was restored as quickly as possible, minimizing the downtime for the ambulance authority. This process involved verifying the integrity of the restored data and ensuring that all critical systems were brought back online without any residual issues.
In addition to restoring the data, the BCAA took steps to enhance its cybersecurity measures to prevent future incidents. This included reviewing and updating access controls, permissions, and data storage security procedures. The organization also implemented additional technical safeguards, such as enhanced monitoring and threat detection systems, to improve its ability to detect and respond to potential security threats.
The BCAA notified the affected patients about the breach, although this notification was delayed beyond the 60-day timeline required by the Health Insurance Portability and Accountability Act (HIPAA). The delay was attributed to the extensive forensic investigation and manual document review that concluded on April 7. The notification informed patients that their data had been compromised and provided them with free identity theft protection services to mitigate the potential risks.
The type of data stolen in the attack was not specified in the public notices. However, it is common in such attacks for sensitive patient information to be targeted, including personal details, medical records, and financial information. The BCAA urged patients to place fraud alerts on their credit reports to protect against identity theft and other forms of fraud that could result from the breach.
The ransomware attack on the BCAA had broader implications for the organization and its patients. The disruption to normal operations and the potential exposure of sensitive data highlighted the importance of robust cybersecurity measures in the healthcare sector. The incident also underscored the need for organizations to have well-defined incident response plans and to conduct regular security assessments to identify and address vulnerabilities.
The BCAA's handling of the incident, including the immediate response, the forensic investigation, and the steps taken to restore normal operations, demonstrated a commitment to mitigating the impact of the attack. The organization's transparency in notifying affected patients and providing them with resources to protect their personal information was a crucial part of the response. The incident also served as a reminder of the ongoing threat of cyberattacks in the healthcare industry and the need for continuous vigilance and proactive security measures to protect patient data and maintain the integrity of critical systems.