Parsons, Tenn.-based Decatur County General Hospital began notifying 24,000 patients Jan. 26 that its EMR server had been hit with a cryptocurrency mining software, according to a notice on the hospital's website.
Here are seven things to know.
1. On Nov. 27, 2017, the hospital received a security incident report from its EMR vendor alerting DCGH that unauthorized software had been installed on the EMR server.
2. The software was installed to generate — or mine — cryptocurrencies. Mining the digital coins takes a lot of computing power, so recently, hackers have infected victims' computers with software that initiates the mining process. Though it is not clear what specific strain of cryptocurrency mining malware was used on DCGH's EMR server, these types of malware are often designed to reside on websites and run in the background of internet browsers.
3. However, DCGH notes the software was installed on the system around Sept. 22, 2017, and the EMR vendor replaced the server and operating system about four days later. It is not clear why the hospital wasn't alerted to the incident until two months later.
4. While the hospital's investigation is ongoing, officials do not believe the unauthorized individual intended to steal or exfiltrate patient data. Officials believe the goal of the attack was to inject the malicious software.
5. The affected server contained patient names, addresses, dates of birth and Social Security numbers, clinical information such as diagnosis and treatment information, and other data such as insurance billing information.
6. Out of an abundance of caution, DCGH is offering affected individuals one year of free online credit monitoring services.
7. "Again, our investigation into this incident continues but we do not believe the motivation of any unauthorized access to the EMR server was to access or acquire your information," hospital officials wrote in a notice to patients. "We encourage you, however, to exercise caution regarding communications if you receive an unsolicited call or email about this incident. Please know that we will not call or email anyone requesting any personal information as a result of this situation."
Becker's Hospital Review reached out to Decatur County General Hospital. This story will be updated as more information becomes available.
More articles on cybersecurity:
24% of physicians can't identify phishing emails: 5 things to know