Dec 162017

Ken Carlson reports on Modesto Bee:

Stanislaus County’s mental health department was the target of a ransomware attack that disabled its computers this week.

About 500 computers in county Behavioral Health and Recovery Services were compromised by the cyberattack Tuesday, according to a press release issued Friday.

It appears that the county will not be paying the demanded ransom, which was worth approximately $65,000.  Services to clients continue during this period.

KCRA adds,  “No breech (sic) of personal information has been detected, officials said.” Curiously, Central Valley Business Times also misspelled “breach” as “breech,” which made me wonder how the county had spelled it in their press release.  Sure enough, Stanislaus County’s press release from yesterday had it spelled “breech” instead of “breach.”

“They said ‘breech?’  Future member of grammar police. Image credit: @Dreamstime_Creative Commons Zero (CC0)

On a positive note, it sounds like the county really had their act together on incident response to isolate and quarantine computers on the network and to manage to keep providing services to clients. The holidays are a time of additional stress and/or depression for many people, and we should all think about how much worse this incident might have been if there were actual support or service interruptions – apart from the risk of protected health information being acquired or exfiltrated.

Dec 152017

Meredith Shamburger provides an update to a previously reported incident:

More than a week after several East Texas school districts were notified of a computer security breach that exposed personal information, officials say they still don’t know how many of their students have been affected.

The Texas Department of Agriculture notified nine area districts that students in their schools had personal information, such as names, Social Security numbers and home addresses, compromised by an October hack.

“They told us it was about 700 (students) total in all of the school districts they listed, and at that time they didn’t have a list of who from each district was affected or how many students from each district,” Gladewater ISD Superintendent Sedric Clark said. “I haven’t received anything from them since.”

New Diana, Ore City, Gilmer, Gladewater, Harleton, Karnack, Union Grove and Union Hill ISDs along with Harrison County Juvenile Services were notified of the breach.

State officials said it does not appear any exposed student information has been misused.

The Texas Department of Agriculture oversees school breakfast and lunch programs, which is why school districts were affected. Officials said a daily security monitoring had found malware on one employee’s computer.


Read more on Longview News-Journal.

Dec 152017

Jana Hollingsworth reports:

The Proctor school district was hit by a malicious computer software “ransomware” attack last weekend.

Student data and payroll information were not affected, said superintendent John Engelking, but some information kept in Microsoft Word files has been locked away by the hacker. Only computers at the middle and high school were affected, and only those that were left on over the weekend.

The district has not yet notified authorities, but it has hired a forensic data company to deal with the hacker, who hasn’t yet requested an amount of money. The district won’t pay it, Engelking said. The hired company’s job is to find “patient zero,” or the computer that initially was attacked, and write a code to release the data.

Read more on Duluth News Tribune.  The report doesn’t reveal how the attackers were able to inject the ransomware, and since the district says that only computers “left on over the weekend” were affected, how did that happen?

Dec 132017

Elenee Dao reports:

The Jerome School District experienced some internet and phone issues early Monday morning, falling victim to ransomware.

Chris Gibson, IT director of the district, said the virus happened early Monday morning around 3 a.m. and when he came into work at 6:30 a.m., he noticed the phone and internet not working.

Gibson said he’s not sure if it as a file that someone downloaded or an email that came in.

Read more on KMVT.

Dec 112017

One of the reasons has never confined its reporting and analyses to HIPAA-covered entities is that there are so many other types of entities that collect and store health or medical information.

Today’s example comes from the National Capital Poison Center, who found themselves in the unenviable position of reporting a ransomware attack that involved records of people who called them between January 1, 1997 and October 21, 2017. Why they kept so much data connected is…. unknown to me.

From their notification:

What Information Was Involved? NCPC cannot determine whether any information stored in the database was subject to unauthorized access, and has received no reports of attempted or actual misuse of this information. The database server contains one or more of the following types of information captured during call center calls, if the information was provided: caller name, name of person possibly exposed to a poisonous substance and date of birth, address and telephone number, information about the exposure and clinical course, recommendations provided to the caller, caller’s email address, and if applicable, treating facility name and medical record number. Most calls have only a subset of this information.

NCPC does not indicate whether they paid any ransom or  whether they attempted to restore from backup, and if so, with what results.  And not surprisingly, they do not indicate how many people had their personal information involved in this incident.