Cyber Incident Victim: MetroHealth System
Date:
Jul 2014
Location:
United States of America
Summary
A malware infection compromised three computers in MetroHealth's Cardiac Cath Lab, potentially exposing personal and medical data of 981 patients, including names, birth dates, medical record numbers, procedure details, and cardiac catheterization raw data. The breach occurred after a business associate disabled antivirus protection during software updates, allowing malware to persist undetected. The organization removed the malware and associated backdoor access, then implemented enhanced monitoring, revised antivirus update protocols, updated incident response plans, and modified lab software procedures. While unauthorized access to patient information was deemed possible, no evidence indicated actual data misuse or exfiltration. Affected individuals received notifications of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2015, MetroHealth discovered malware on three computers within its Cardiac Cath Lab, prompting an investigation that revealed a security incident affecting 981 patients. The computers were infected between July 14 and July 19, 2014, when a business associate performing software updates disabled antivirus protections, creating a vulnerability that allowed malware installation. The compromised systems stored sensitive patient data from cardiac catheterization procedures conducted between July 14, 2014, and March 21, 2015, including names, dates of service, birth dates, heights, weights, administered medications, medical record numbers, procedure case numbers, and raw cardiac catheterization data such as EKG tracings and oxygen saturation measurements. MetroHealth detected the malware on March 17, 2015, and completed its removal by March 18, followed by the elimination of a persistent backdoor on March 21 that could have enabled future unauthorized access. The health system acknowledged that while unauthorized access to patient information was possible, no evidence suggested actual data theft or misuse occurred during the infection period.
MetroHealth responded by notifying all affected individuals about the potential exposure of their information and implementing multiple security enhancements to prevent recurrence. These measures included increased malware monitoring across systems, formalized reviews of antivirus update compliance, revisions to the organizational incident response plan, and updated software maintenance protocols specifically for Cath Lab equipment. The institution emphasized that the infected computers were isolated to the Cardiac Cath Lab and contained data only from patients who underwent catheterization procedures during the specified timeframe. Despite the extensive nature of the compromised health information, MetroHealth maintained that the risk of actual data misuse remained low based on forensic analysis showing no signs of exfiltration or unauthorized access beyond the initial malware infection. The incident underscored vulnerabilities introduced by third-party vendor actions during routine system maintenance operations.