Cyber Incident Victim: Associates in Psychiatry and Psychology
Date:
Mar 2018
Location:
United States of America
Summary
A Minnesota-based psychiatry and psychology practice experienced a ransomware attack that encrypted files and disabled system recovery functions overnight, also erasing local backups stored on network devices. Attackers, suspected to be based in Eastern Europe, deployed TripleM ransomware and initially demanded 4 BTC before negotiating payment down to 0.5 BTC, which the practice paid via cryptocurrency wallets. The incident impacted 6,546 patients, who were notified alongside federal health authorities, though no evidence indicated unauthorized access or exfiltration of patient data. The organization provided clear communications detailing the event's technical impact and response measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 30-31, 2018, Associates in Psychiatry and Psychology, a Minnesota-based medical practice, experienced a ransomware attack that disrupted operations and compromised critical systems. The intrusion occurred overnight, with attackers deploying TripleM ransomware to encrypt the practice’s data files. The malware executed multiple destructive actions beyond file encryption, including disabling the system restore function across all affected computers and reformatting the network storage device housing local backups. This dual impact rendered standard recovery methods ineffective and eliminated on-site backup options. Attackers left a ransom note specifying a demand of 4 Bitcoin (BTC) for system restoration and provided payment instructions. The perpetrators were suspected to be based in Eastern Europe, though no definitive attribution was confirmed. The practice’s IT infrastructure was rendered inoperable by the encryption and backup destruction, necessitating immediate incident response efforts to assess the scope and mitigate operational disruption.
The practice engaged with the attackers to negotiate the ransom, successfully reducing the demand from 4 BTC to 0.5 BTC before paying the amount via Bitcoin wallets. Following payment, systems were restored using the decryption keys provided by the attackers. A forensic investigation found no evidence that patient data had been accessed, viewed, or exfiltrated during the incident. Despite this conclusion, the practice notified 6,546 affected patients and reported the breach to the U.S. Department of Health and Human Services (HHS) in compliance with regulatory obligations. Communications to patients included a detailed notification letter and FAQ explaining the incident’s technical aspects, containment actions, and the rationale for ransom payment. The practice emphasized transparency in its disclosures, acknowledging the operational paralysis caused by the loss of both primary systems and backups while confirming the restoration of services post-ransom payment.