In what may be the first report I’ve seen of a hospital having their EMR server hit with cryptocurrency mining software, Decatur County General Hospital in Parsons, Tennessee started notifying 24,000 patients on January 26. A substitute notice on their web site explains:
On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as “cryptocurrency.”
Although the hospital’s investigation is ongoing, they believe that an unauthorized individual accessed the server housing the EMR system to inject the software. The goal of the attack did not appear to be the acquisition or exfiltration of patients’ personally identifiable information or protected health information, and the hospital has no evidence that PII or PHI was acquired or viewed. But as is the case so often, they could not definitively prove that there was no access or viewing, and so, they must notify patients.
Information contained on the affected server included demographic information such as patient names, addresses, dates of birth, and Social Security numbers, clinical information such as diagnosis and treatment information, and other information such as insurance billing information.
Somewhat confusingly, DCGH indicates that the software was installed on the system at least as of September 22, 2017, and “the EMR vendor replaced the server and operating about four days later.” Why, then, was the hospital first notified of the incident on November 27?
In response to the incident, DCGH is offering patients an online credit monitoring service (myTrueIdentity) for one year.
DCGH does not name the EMR system vendor and did not respond immediately to an email inquiry sent to it by this site.