By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™
The Little Red Door Cancer Services of East Central Indiana was recently hacked by The Dark Overlord, a
cyber criminal group, and faced a $43,000 ransom demand.
Increasingly, medically related and non-profit
groups experience ransomware demands.
These organizations possess individual's medical and personal information, and typically
have weak IT security.
Sometimes data is
encrypted by the cyber thief, and the ransom demand is to provide the decryption
key to unlocking the data. This is what
happened in Madison County who paid the ransom.
In other cases; it is a blackmail demand to avoid the public embarrassment
of having sensitive information published on the internet.
The Dark Overload group, named after a comic book
character, has been successful in multiple ransomware cases and have netted
over $500 million last year alone, according to security sources.
These data breaches are more serious than previous
credit card breaches because they affect not only Personal Identifiable
Information (PII) but also include Medical Information covered by HIPAA. PII has a value on the “dark net” of about
$50 per individual and HIPAA information is valued at over twice that amount or
about $100 per individual.
Thus, an
organization -- say a dental or physician office that has maybe 3,000 current
and past client records -- could provide a cyber thief with $300,000 in revenue
from the dark net sale of both the PII and medical information. The ransomware demand is often only a minor
revenue stream these fraudsters. Many cyber
criminals enjoy taunting its victims.
From the consumer’s standpoint, the theft of PII or
credit card information is inconvenient to most victims and can take a long
time to correct. About one in three Americans will be victims of that kind of
theft this year. The inconvenient for
many is worst than the financial impact, and it can often be repaired without requiring
professional help. The loss of your medical
identity can be worse, more difficult to correct, and sometimes life
threatening to the victim.
From the medical provider’s standpoint, a data
breach can be catastrophic.
In some parts of the U.S., legal boutiques are springing
up that focus on class-action data breach events that involve both PII and
HIPAA. If a medical-related organization
experiences a data breach and it had not previously conducted a cyber security
assessment or financial risk assessment, had insufficient safeguards, and have an
ineffective (or non-existent) HIPAA supervisor, these issues could eventually result
in liability costs that force the sale of the medical practice.
In the case of the Little Red Door, there was no reported
encryption of data; but, the demand was that the data would be released on the internet. The LRD has reported that they refused to pay
the demand.
Unfortunately, the staff’s Social Security numbers and other LRD
information is already on the dark web. A spokesperson for The Dark
Overlord, who forwarded an email to the media from within the Little Red Door’s
internal email account, disputed that the
data had yet to be published. Obviously, The Dark Overlord is not finished with the Little Red Door. TDO
claims that they acquired much
personal information, including diagnoses of clients.
Few non-profits and smaller medical-related businesses have
adequate safeguards to prevent the loss of sensitive client information.