W. Virginia Hospital Will Report Breach in 'Donut' Data Leak

West Virginia Hospital to Report Breach in 'Donut' Data Leak
CEO Says Ransomware Attack Encrypted, Exfiltrated Legacy Data From 'Old Servers'
Marianne Kolbasuk McGee (HealthInfoSec) • April 4, 2023
facebook sharing button Sharetwitter sharing button Tweetlinkedin sharing button Share Credit Eligible
West Virginia Hospital to Report Breach in 'Donut' Data Leak
Image: Montgomery General Hospital
A West Virginia hospital will soon begin notifying patients and employees affected by ransomware attackers who leaked data on the dark web.

See Also: Webinar | The Evolution of Network Architecture: What You Don't Know Can Hurt You

Montgomery General Hospital detected "irregular" activity involving malware on its IT systems on Feb. 28, and a ransomware incident occurred on March 1, the entity's CEO, Deborah Hill, told Information Security Media Group.

The hospital promptly contacted security firm Arctic Wolf to assist in the recovery and reported the incident to the FBI and the Department of Homeland Security, Hill said. It also called its cyber insurance provider. The investigation so far has determined that the incident started with an email phishing attack, she said.

The ransomware "locked up three or four severs" containing mostly historic "institutional data," including budget documents, cost reports and payments to vendors, Hill said.

The attackers demanded a $750,000 ransom in exchange for a decryptor key and the promised deletion of exfiltrated data. "We could have attempted to pay the ransom, but the data was so old that it wasn't worth paying," Hill said. "We were advised not to pay" by law enforcement, she added.

The hospital can still obtain much of the information stored on the affected servers, such as cost reports, through vendors that have copies and backups, Hill said.

The hospital's cloud-based electronic health records were not compromised by the incident but for about 24 hours, the hospital took that system off the internet as a precaution. Staff were still able to access patient information through "hot spots," she said.

Hill said the hospital is aware that at least some of the stolen data was posted on the "Donut Leaks" website.

Montgomery General, a critical access hospital that has 25 acute care beds and 44 long-term care beds, plans to report a data breach to regulators and to notify affected patients and employees within the 60-day HIPAA breach reporting deadline, Hill said.

Individuals whose Social Security numbers were compromised in the incident will be offered complimentary credit and identity monitoring, she said.