Ransomware Attack on Medical Billing Service Provider After an Earlier Computer Breach


The medical billing services provider, Doctors’ Management Service Inc. based in Massachusetts, found out on December 24, 2018 the download of malicious software to its network thus preventing file access. The investigators of the incident discovered that the ransomware GandCrab was used in the attack. Using backups, the provider recovered the files and did not need to pay ransom.

According to the findings of the investigation. the person who installed the ransomware first accessed Doctor’s Management Service systems on April 1, 2017, which is 7 months prior to deploying the ransomware. The attacker accessed the network through Remote Desktop Protocol (RDP) on one workstation.

The attackers accessed sections of the network that contained the protected health information (PHI) of patients of its customers. The information included patient names, addresses, birth dates, Social Security numbers, insurance details, driver’s license numbers, Medicare/Medicaid ID numbers, and certain diagnostic data.

The attack seemed to be timed to make sure the attack will not be quickly discovered. The deployment of ransomware is likely an effort to extort cash after the hackers achieved their other objectives.

Doctors’ Management Service mentioned in its breach notice that it did not detect any unauthorized server access until the deployment of the ransomware on December 24. Also, the forensic investigators did not find any indication that patient data was accessed or exfiltrated. But it does not guarantee that there was no data theft.

The provider has consulted third-party computer security specialists to get recommendations about improving network security. The company definitely will employ more controls to stop other security breaches from happening again. Employees will also get training on security awareness.

Doctors’ Management Service notified the affected clients and patients as well as the Department of Health and Human Services’ Office for Civil Rights concerning the breach. OCR has not published the breach summary yet on its breach portal, thus it is not known how many people the breach impacted.