Insult To Injury – Florida Health Care Management Firm Accidentally Gives Data To Attackers

Who:

HMC HealthWorks

How many records impacted:

Undisclosed

Timeline:

Occurred: Undisclosed

Discovered by the Organization: July 16, 2018

Publicly Reported: August 22, 2018

What Happened:

On July 16, 2018 Health Management Concepts, also known as HMC Healthworks, discovered they were the unlucky recipients of a ransomware infection. Like so many other businesses, it seems HMC was poorly positioned to respond to the attack. According to the notification letter provided to the New Hampshire Attorney General, HMC apparently paid the extortion demand in order to restore access to their systems. To quote the letter, “HMC promptly obtained decryption keys from the attackers and decrypted the data without any impact on the services HMC provides.” It is curious why a firm that had just provided a similar notice due to a ransomware event impacting an employee’s computer would be left with little recourse other than paying for the decryption key. Typically firms that suffer a painful malware infection will invest in their security, taking a variety steps to prevent such an event from happening again. So while an organization being hit with two ransomware events just 7 months apart did catch our eye, the story does not end there.

Three days after discovering the infection, HMC made another surprising discovery. Somehow the attackers were given a file containing personal information belonging to employees of a customer. To quote the notification letter once again, “HMC discovered that the attackers were inadvertently provided a file that contained personal information of IBU’s members”. [emphasis added] Really? How does that happen? Sadly – and perhaps understandably – the notification letter provides little else in the way of detail and additional information on the event has not be made publicly available.

Why It Matters:

Two ransomware infections and inadvertently handing over a file containing sensitive information could be a case of very bad luck but it does leave us wondering how HMC manages their security. Security events are never good news but it’s especially damaging to the organization’s reputation when their customers’ data is the subject of compromise due to outright data mishandling. We can only speculate how it came to pass that a file, containing their clients’ employee’s data, accidentally ended up in the hands of malicious actors while responding to a ransomware infection. Regardless, this breach highlights how important it is for third party risk assessment to go beyond the technical aspects of security and delve into the day-to-day data handling processes.

It also highlights the importance of following up with vendors after a breach event. However that file ended up in the hands of the extortionist, it most likely would not have happened at all if HMC had taken more proactive steps after the January event. If HMC’s customers conducted a post-event assessment, they may well have prompted HMC to be more proactive and improve their security practices, thereby preventing the second event from taking place at all.