Ransomware attack at Wolfe Eye Clinic

 Wolfe Eye Clinic is yet another healthcare provider that became a victim of a  data breach. As a network of eye health clinics based in Iowa, Wolfe Eye Clinic provides professional care in the specialties of ophthalmology and optometry. The ransomware attack affected about 500,000 current and past Wolfe Eye Clinic patients. The network currently serves more than 700,000 patients today. The consequences of such attacks can be disastrous not only to patients but also to healthcare providers that want to avoid HIPAA violations. RELATED:  HIPAA stands for . . . In fact, cyberattacks against covered entities and their  business associates have caused numerous shutdowns and disruptions over the past several months.

What happened?

On February 8, 2021, Wolfe Eye Clinic's IT security team noticed unusual activity from a third party trying to gain access to the network. A recent press release from Wolfe Eye Clinic provides the details. Staff moved quickly to secure the network and launch an outside investigation. Given the complexity and scale of the cyberattack, the clinic did not realize the full impact until May 28; the investigation itself concluded on June 8. The hacker used ransomware to access, encrypt, and most likely steal the clinic’s data. This includes the protected health information (PHI) (such as names, addresses, dates of birth, and Social Security Numbers) of approximately 500,000 individuals. And for some, medical and health information.

RELATED: Is a name PHI?

The cyberattacker demanded a ransom for a decryption key, but the clinic refused to pay. Instead, Wolfe Eye Clinic opted to use its backup systems to recover its data. Surprisingly, this cyberattack is not the most extensive on HHS’ Office for Civil Rights (OCR) Breach Portal. Wolfe Eye Clinic is listed as a Hacking/IT Incident affecting 527,378 individuals. The highest number of affected is Florida Healthy Kids Corporation with 3.5 million listed.

RELATED: What is HHS’ Wall of Shame?

A ransomware epidemic

Ransomware attacks have become so common that the U.S. government released several statements, calling these incidences a  ransomware epidemic. The Department of Justice even elevated ransomware attacks to terrorist attacks. Ransomware is  malware (malicious software) used to deny a victim access to a system until a ransom is paid. A simple click can give a hacker access to data for encryption, exfiltration, and ransom. While Wolfe Eye Clinic is unsure if its data was exfiltrated first, stealing and double extortion are all too common nowadays.

RELATED:  Maze ransomware group publicly releases stolen data

The healthcare industry is one of the most targeted sectors for ransomware attacks because of costs related to PHI exposure and the urgency of restoring service since patient care may hang in the balance. Whether or not to pay after a ransomware attack is a question debated daily.

To pay or not to pay

Most hackers believe that healthcare provides will pay to retrieve stolen PHI and/or to get back into their systems. Especially during a health crisis.

RELATED: Coronavirus cyberattacks: How to protect yourself

Officials, however, insist it is not good business to pay a ransom. FBI Director Christopher Wray recently stated:

Our guidance to industry is not to pay the ransom. And there’s a whole host of reasons for that. I understand it’s a difficult decision for victims to make, but the most important thing is that they reach out and connect with law enforcement . . . as quickly and transparently as possible.

RELATED:  The influence of ransomware on insurance

While there are some short-term advantages to paying a ransom, the benefits are not always guaranteed or cost-effective.

Colonial Pipeline recently paid its cyberattacker nearly $5 million to recover its system after a ransomware attack. But a good outcome is not always the case. According to recent research, nearly one-fifth of victims who pay fail to get their data back. Governments worldwide have yet to ban ransomware payments altogether. They would rather strongly discourage it out of concern that organizations may stop reporting incidences if banned.

An alternative solution: strong cybersecurity

Rather than pay a ransom, organizations should concentrate on strengthening cybersecurity. Prevention and preparation are vital in combatting cyberattacks.

RELATED: Ransomware guidance: what HHS recommends to protect data

And for healthcare providers, that means following HIPAA guidelines and ensuring compliance using a multilayered approach to security. First and foremost, healthcare organizations must begin with a solid business continuity plan along with proper backup and recovery processes in case of a breach. The fact that Wolfe Eye Clinic utilized separate backups made its recovery time short, though the clinic did not release information about its recovery process. Second is the use of regular and up-to-date employee awareness training along with solid administrative, technical, and physical safeguards such as:

• Access controls
• Antivirus and antimalware software
• Endpoint security
• Network segmentation
• Prompt patches and updates
  
  

And of course, strong email security (i.e.,  HIPAA compliant email).

Paubox Suite Plus—vital email security

Email communication remains the most utilized threat vector to gain access to a network, which is why strong email security is required to prevent ransomware attacks.

RELATED: Scripps Health discusses lessons learned from ransomware attack

Paubox Email Suite Plus provides both inbound and outbound email protection, including our patented  ExectProtect feature, which stops  display name spoofing emails from ever reaching an inbox. It also comes with  Zero Trust Email, which requires an additional layer of proof of legitimacy before delivering an email. Our solution enables HIPAA compliant email by default, ensuring messages and patient information are safe from breaches. Our  HITRUST CSF certified software assures Paubox customers that all PHI remains protected. Your team can easily send email communication from an existing email client (such as Google Workspace or  Microsoft 365). No fuss, no extra passwords or logins, and no patient portals. The best tactic is a  zero-trust approach in which every person and every device that accesses a network is a potential threat. Rather than deal with the consequences of a breach and possible HIPAA violation, secure your healthcare organization and patients’ PHI today.