Cyber Incident Victim: ABCD Pediatrics
Date:
Feb 2017
Location:
United States of America
Summary
During a ransomware attack involving Dharma ransomware, ABCD Pediatrics discovered unauthorized access through suspicious user accounts, indicating a potential secondary intrusion. The organization's IT team contained the encryption using existing antivirus measures, restored unaffected backup data, and confirmed no data loss occurred. While no evidence confirmed data exfiltration, investigators could not rule out unauthorized viewing or acquisition of patient information, including names, Social Security numbers, medical records, and insurance details. The incident prompted notifications to affected patients, law enforcement, and regulatory authorities. Pre-existing security measures included firewalls and intrusion detection systems, with post-incident enhancements implemented to strengthen network monitoring and prevent recurrence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 6, 2017, an employee at ABCD Pediatrics discovered a ransomware attack actively encrypting the organization’s servers during morning operations. The attack was partially mitigated by existing antivirus software, which slowed the encryption process. ABCD immediately engaged its IT Company, which isolated the affected servers and computers by taking them offline for forensic analysis. The IT Company identified the malware as Dharma Ransomware, a variant of the older CriSiS ransomware family. While initial analysis indicated ransomware strains like Dharma typically do not exfiltrate data, investigators could not definitively rule out data removal. During the server examination, suspicious user accounts were discovered, suggesting unauthorized actors may have accessed portions of ABCD’s network prior to or during the ransomware event. The IT Company successfully eradicated the ransomware and restored all affected systems using uncompromised backup data stored separately from the primary network. No ransom demands or communications from threat actors were received by ABCD at any stage of the incident.
Forensic investigations revealed no conclusive evidence that protected health information or other confidential data was acquired or exfiltrated, but ABCD acknowledged it could not confirm with high certainty that data remained secure throughout the intrusion. Potentially accessible information included patient names, addresses, telephone numbers, dates of birth, Social Security Numbers, insurance billing details, medical records, laboratory reports, and procedural codes—affecting over 55,000 patients. ABCD notified affected individuals, the Federal Bureau of Investigation, and the Department of Health and Human Services in compliance with HIPAA regulations. The organization emphasized its pre-existing security measures, including firewalls, intrusion detection systems, antivirus software, and password protections, while confirming post-incident enhancements such as upgraded network monitoring and intrusion source identification. ABCD partnered with Equifax to offer affected patients complimentary identity protection services, including fraud alert assistance and credit monitoring, and provided contact details for all three major credit bureaus to facilitate additional consumer protections.