Cyber Incident Victim: Delaware Guidance Services for Children and Youth

On December 25, 2018, Delaware Guidance Services for Children and Youth (DGS) experienced a ransomware attack that encrypted files on its data servers. The attackers demanded payment to provide decryption keys necessary to restore access to the encrypted systems. DGS opted to pay the ransom, though the specific amount was not publicly disclosed. Following the payment and file recovery, DGS engaged an external IT firm to conduct a forensic investigation. This analysis aimed to determine whether threat actors had accessed or exfiltrated protected health information prior to deploying the ransomware. The forensic review concluded there was no evidence suggesting unauthorized access to or theft of patient data occurred during the incident. Investigators assessed the attack's primary motive as financial extortion rather than data theft.

The encrypted files contained sensitive information including patient names, addresses, dates of birth, medical details, and Social Security numbers. DGS initiated breach notifications on February 26, 2019, sending letters to parents and guardians of affected individuals. These notifications outlined the types of exposed data and offered 12 months of complimentary credit monitoring services through MyIDCare. DGS reported the incident to law enforcement authorities and the Department of Health and Human Services' Office for Civil Rights (OCR). OCR's breach portal listed the event as impacting up to 50,000 individuals. No evidence emerged suggesting misuse of compromised information following the attack. The organization's response focused on system restoration, forensic validation of data integrity, and compliance with regulatory reporting obligations.