Cybercriminals Now Demand Ransoms from Patients

Imagine this: One day, out of the blue, you receive an unusual communication from an unknown individual warning YOU that they have photos and personal information about you that they are prepared to release if you don’t pay them a ransom...

At first, you might chuckle thinking, there is no way this is true. But unfortunately, you soon find out that this “warning” is anything but a joke.

Now, you’ve got to be asking yourself, how could this happen?

You may start thinking about all the accounts you have online. Facebook, LinkedIn, Email, Netflix, Dropbox, and so many others. BUT, how could that result in your information and photos being exposed that only your doctor has access to?

Wait… could it be? Your doctor’s office let your personal information, including photos, get into the hands of a cybercriminal?


The New Norm?

Now, finding out that you were involved in a data breach from a medical provider is unfortunately not out of the ordinary in today’s digital era. There’s even a chance that you, as a healthcare entity, have had to assist in notifying patients, answering questions, etc. as a result of a breach of Protected Health Information (PHI). But, has your organization ever been made aware BY a patient, that they have personally received a ransom demand for data that was stolen from YOUR organization?

I hope not. In fact, it’s probably unlikely that this has happened to your business. BUT that doesn’t mean it won’t. Cybercriminals are now demanding ransom payments from PATIENTS, in addition to the practice. What happens if the patient doesn’t pay up? Attackers are threatening to expose their personal information (including photos). THIS – may become the new norm – and THAT is a problem.

The Victim

In early November 2019, The Center for Facial Restoration (TCFFR) in Miramar, Florida fell victim to a cyberattack. Operating under Richard Davis, MD, TCFFR became aware on November 8th that their clinic’s server was breached when Davis received an anonymous communication from cybercriminals. The attackers claimed to have access to “the complete patient’s data”.

The cybercriminals demanded a ransom payment from the practice, which is not uncommon, however, that was just the beginning of their demands. Davis then found out that the cybercriminals were also contacting his past and present patients, demanding an unspecified ransom be paid BY THE PATIENT, or else the cybercriminal would release their photos and personal information.

Not only has this breach been incredibly inconvenient for patients, but TCFFR has been struggling tremendously to get back on their feet.

According to Davis, “Because we store personally identifiable information (PII) as the scan of the patient’s intake demographic questionnaire, and not in an electronic demographic database, obtaining contact information in order to individually notify all 3,500 patients has been painstakingly slow and labor intensive, and access to the data has been hindered by ongoing IT service disruptions.”

Davis filed a complaint with the FBI on November 12. Although the investigation is still ongoing, the FBI urges any patients who received a ransom demand from the cybercriminals to file an independent complaint.

You can read Davis’ Urgent Patient Advisory in full, here.

What Do You Think?

Image of doc holding stethoscope

Again, I want you to think about this incident from a patient perspective. If this happened to you, would you be furious? I think most of us would. Many of us would never step foot inside this practice again. Some may even write a review online or call and report the incident to the local newspaper, news station, or maybe even the Office for Civil Rights (though they will find out eventually).

As a patient, you have every right to feel that way or to report this wrongdoing. As patients, we expect that our providers are doing everything in their power to safeguard our information, and if you’re like me, you would NEVER expect to receive a ransom demand from a cybercriminal as a result of poor security on your providers part.

As a Healthcare Entity, You Should be Concerned

As a healthcare organization, this incident should concern you. This is the first we’re seeing cybercriminals exploit healthcare organizations to demand not only a ransom from them but their patients as well.

If this happened to your organization, what do you think would happen? Would your patients be outraged? Would your reputation be damaged? Would the expenses of handling this ongoing incident be more than your organization can handle? Would you be forced to close your doors as a result?

For many, the answer to those questions would be yes.

If you have any reason to believe your organization 1) could fall victim to a cyberattack at any given moment, 2) does not have cyber insurance to help you pick up the pieces following a breach or 3) does not know how to put your best foot forward to preventing an incident, contact us to learn how we can help at: info@nextcenturytechnologies.com or visit us at www.NextCenturyTechnologies.com. We are a proud partner of HIPAA Secure Now!, a company of HIPAA experts dedicated to helping medical entities stay compliant and keeping their data safe. Thank you HIPAA Secure Now! (www.HIPAAsecurenow.com) for the contents of this article.

Want more cybersecurity tips to help keep your business safe & secure? Sign up for our email newsletter and have new articles & tips delivered straight to your inbox monthly.

Posted in ,

Tracy Hardin

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor's degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.