By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™
Increasingly, medically related and non-profit groups experience ransomware demands. These organizations possess individual's medical and personal information, and typically have weak IT security.
Sometimes data is encrypted by the cyber thief, and the ransom demand is to provide the decryption key to unlocking the data. This is what happened in Madison County who paid the ransom. In other cases; it is a blackmail demand to avoid the public embarrassment of having sensitive information published on the internet.
The Dark Overload group, named after a comic book character, has been successful in multiple ransomware cases and have netted over $500 million last year alone, according to security sources.
These data breaches are more serious than previous credit card breaches because they affect not only Personal Identifiable Information (PII) but also include Medical Information covered by HIPAA. PII has a value on the “dark net” of about $50 per individual and HIPAA information is valued at over twice that amount or about $100 per individual.
Thus, an organization -- say a dental or physician office that has maybe 3,000 current and past client records -- could provide a cyber thief with $300,000 in revenue from the dark net sale of both the PII and medical information. The ransomware demand is often only a minor revenue stream these fraudsters. Many cyber criminals enjoy taunting its victims.
From the consumer’s standpoint, the theft of PII or credit card information is inconvenient to most victims and can take a long time to correct. About one in three Americans will be victims of that kind of theft this year. The inconvenient for many is worst than the financial impact, and it can often be repaired without requiring professional help. The loss of your medical identity can be worse, more difficult to correct, and sometimes life threatening to the victim.
From the medical provider’s standpoint, a data breach can be catastrophic.
In some parts of the U.S., legal boutiques are springing up that focus on class-action data breach events that involve both PII and HIPAA. If a medical-related organization experiences a data breach and it had not previously conducted a cyber security assessment or financial risk assessment, had insufficient safeguards, and have an ineffective (or non-existent) HIPAA supervisor, these issues could eventually result in liability costs that force the sale of the medical practice.
In the case of the Little Red Door, there was no reported encryption of data; but, the demand was that the data would be released on the internet. The LRD has reported that they refused to pay the demand.
Unfortunately, the staff’s Social Security numbers and other LRD information is already on the dark web. A spokesperson for The Dark Overlord, who forwarded an email to the media from within the Little Red Door’s internal email account, disputed that the data had yet to be published. Obviously, The Dark Overlord is not finished with the Little Red Door. TDO claims that they acquired much personal information, including diagnoses of clients.
Few non-profits and smaller medical-related businesses have adequate safeguards to prevent the loss of sensitive client information.