#1250830: US - Ransomware attack forces Delaware children's agency to hand over thousands of dollars
Delaware Guidance Services for Children and Youth, a Wilmington-based mental health provider, was attacked with malicious software in December that locked the organization out of its own records and required a ransom payment to regain access, the nonprofit said this week.
Records containing personal information for about 20,000 patients — including names, addresses, birth dates, Social Security numbers and medical information of mostly low-income children and families — were stored on servers that became "encrypted" on Christmas Day and could not be opened by staff, according to Executive Director Jill Rogers.
A ransom payment of "thousands" was required to obtain a de-encryption "key" that unlocked the records, Rogers wrote in a Feb. 26 letter to clients. According to an information technology firm hired by the nonprofit, Rogers said, there is no indication that any of the records were viewed or used by the attackers.
"The most important thing is that we don't have any evidence of any data actually being compromised," Rogers said. "These notifications are going out, out of an abundance of caution so people understand that’s the case."
The attack covered about 10 years' worth of electronic records, Rogers said.
Rogers declined to specify how much ransom money was paid and did not describe details of the attack. She said the nonprofit waited until the end of February to inform clients because the organization was "understanding what happened and what the impact might’ve been."
"That assessment process was ongoing during that time," she said.
As of April 2018, state law requires any person who conducts business in Delaware and who maintains personal information of residents to notify within 60 days those affected when information is subjected to a data security breach.
Founded in 1952, Delaware Guidance Services is the largest single not-for-profit provider of comprehensive psychiatric services for children and families in the state, according to its website. It has a staff of 200, a budget of $12 million and five locations statewide.
The nonprofit is offering one year of credit monitoring and reporting services to impacted individuals and is advising clients to closely watch their financial statements.
"We sincerely apologize and regret that this situation has occurred," Rogers wrote in her letter. "DGS is committed to providing quality care, including protecting your personal information, and we want to assure you that we have policies and procedures to protect your privacy."
Ransomware attacks have become increasingly prevalent, according to the National Cybersecurity & Communications Integration Center. They typically occur when an employee clicks on a link in a phishing email or by unknowingly visiting an infected website.
A county government in Georgia paid $400,000 last week after its computer system was targeted with ransomware, the Athens Banner-Herald reported. In January, the Salisbury Police Department in Maryland experienced a ransomware attack that one captain called "the worst computer network attack in SPD history," Delmarva Now reported.
Nonprofits other than DGS have fallen victim to cybercrimes.
Save the Children Federation, a Connecticut-based charity, lost nearly $1 million when hackers breached a worker's email account, pretended to be a staff member, and falsified documents to dupe the organization into paying a fraudulent company in Japan, the Boston Globe reported in December.
"It's the kind of thing that is, unfortunately, more and more a part of life," Rogers said.
DGS reported its incident to state and federal law enforcement agencies but has not heard about a culprit being caught, Rogers said.
"Depending on our findings, the Consumer Protection Unit will determine which additional steps, if any, will be necessary," Attorney General's Office spokesman Carl Kanefsky said.
The good news, Rogers said, is that the costs of the attack shouldn't directly affect clients.
"It didn’t impact services in real time, and we don't anticipate it will going forward."
Be smart about ransomware
Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
Never click on links or open attachments in unsolicited emails.
Back up data on a regular basis. Keep it on a separate device and store it offline.
Follow safe practices when browsing the internet.
Restrict users’ permissions to install and run software applications and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
Allow only approved programs to run on a network.
Enable strong spam filters to prevent phishing emails from reaching the users and authenticate inbound email to prevent email spoofing.
Scan all incoming and outgoing emails to detect threats.
Configure firewalls to block access to known malicious IP addresses.
Source: National Cybersecurity & Communications Integration Center
If you are among the Delaware Guidance Services clients who were impacted by this event, please contact reporter Christina Jedra at (302) 324-2837 or firstname.lastname@example.org.
Salisbury, Maryland police hit by ransomware attack
Scope of medical data breaches unknown in Delaware
Delaware doctors, hospitals increase security as medical data breaches continue nationwide
|Date added||March 15, 2019, 8:52 a.m.|