Cyber Incident Victim: Jemison Internal Medicine

On December 20, 2017, Jemison Internal Medicine (JIM) in Jemison, Alabama, experienced a ransomware infection that encrypted its electronic medical record (EMR) system, rendering patient records inaccessible. The ransomware demanded payment to decrypt the files, but JIM refused to pay the attackers. Instead, the practice removed the virus by reinstalling the operating system on its server and restored patient records from backup copies. Subsequent system scans confirmed no residual traces of the ransomware remained. During its investigation into the incident, JIM discovered evidence indicating an unauthorized individual had gained access to its computer systems between September and December 2017 prior to the ransomware deployment. While no direct evidence confirmed the hacker accessed or exfiltrated files within the EMR during this period, the investigation could not rule out such access.

The compromised EMR system contained patient information including names, addresses, telephone numbers, Social Security numbers, dates of birth, driver’s license numbers, treatment details, prescription records, and health insurance information. Although JIM found no proof that the attacker specifically viewed or acquired this data during the intrusion period, the practice notified 6,550 patients by February 16, 2018, as a precautionary measure due to the theoretical risk of exposure. The ransomware incident caused temporary operational disruption by blocking access to medical records until restoration from backups was completed. JIM’s containment response successfully eliminated the ransomware and restored system functionality without capitulating to the attackers’ financial demands. The practice did not publicly confirm whether the initial intrusion vector involved phishing, vulnerabilities, or other methods, nor did it identify the specific ransomware variant involved.