Background
A major hospital and health care network experienced a large-scale data breach affecting hundreds of employee and patient files. Late on a Friday afternoon, the client’s IT department identified complex malware existing in its network system. The malware was consistent with an alleged cyberattack against multiple computer systems that began in the client’s human resources department. Upon investigation, the client learned that malicious actors established auto-forward rules within their email system and sent potentially protected private information outside the client’s network to the threat actor’s Gmail account.
The hospital and health care network immediately engaged Faegre Drinker as legal counsel to manage and advise on all aspects of the incident response. Faegre Drinker professionals, along with colleagues from our data analytics subsidiary Tritura, went to work immediately to assess and contain the threat. We also engaged a forensics and cyber-security company as well as a critical communications company.
First Response
Our first priority was to investigate the spread of the malware infection. We found that multiple email accounts had fallen victim to a phishing scam stemming from one of the client’s subcontractors. We then investigated dozens of employee email accounts and found that threat actors had penetrated multiple hospital email accounts and forwarded hundreds of emails containing personally identifiable information (PII) to a private email address. The threat actors had gained access to emails going back as far as five years earlier.
We identified the infected code sent by the malicious threat actors that had compromised the employee email accounts and then analyzed over two dozen such accounts while our Tritura colleagues simultaneously conducted a data analytics investigation, which fortunately found that none of the compromised email accounts exfiltrated personal health information (PHI). Considering the PII in the mailboxes, we concluded that it was reasonable, out of an abundance of caution, to assume the incident compromised all the PII in the infected computer email systems. Tritura further investigated and found that PII for more than 70 employees and more than 70 independent subcontractors from 19 different agencies was potentially exposed or lost during this cyber intrusion.
Reporting and Communications
The data involved and stolen was the employees’ and independent subcontractors’ names, dates of birth and social security numbers — the kind of data that is remarkably valuable to cyber threat actors. The opportunities for social engineering attacks or for identity theft were significant. We then worked with the client to notify each person whose data was compromised and provided the affected individuals with resources such as credit monitoring services and identity theft protection.
Remediation and Lessons Learned
We advised the client on remediation measures to address the many deficiencies in its IT network security. The measures included new policies and processes to address the complexities, volume and speed of the ever-evolving threat landscape, as well as many new cyber controls, such as deactivating email forwarding, developing more complex password requirements and introducing the use of multifactor authentication.
