EP 51: Cyber Extortion of Patients
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
April 14, 2020
Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discuss how cyber criminals are sending ransom demands to the people in the medical records they steal.
Speaker 3: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cyber security council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.
Jake Bernstein: So Kip, what are we going to talk about today?
Kip Boyle: Hey, Jake, we're going to talk today about this, surprising to some people, new cyber extortion tactic that has actually surfaced demanding ransom from the people who appear in stolen PII records.
Jake Bernstein: Well, I have to say that I'm not surprised at all by that. In fact, the only thing that surprises me is that it hasn't happened sooner.
Kip Boyle: I have to admit, I'm surprised it hasn't happened sooner either. And when I see things like this, I start to try to put myself into the minds of the cyber attackers and just wonder like, "Okay, why haven't they done this before? What does the fact that they're doing this now say to us about their capabilities? And how could they extend this new attack strategy?" But ultimately cyber attackers continue to surprise people. But I just see them as amoral, just biological germs. Germs don't discriminate. They don't care what race you are. They don't care what your social economic status is or what country you live in. So cyber attackers are just like that. We've talked about this before. Everyone's a target and every attack is an opportunity to become more virulent.
Jake Bernstein: Cyber hygiene, indeed.
Kip Boyle: Yup. That's what everybody needs. So let's get into this story because I think this stuff is so under-reported, particularly in the mainstream media. But this new cyber extortion actually happened to the patients of a doctor who is located in Florida. And I read this story on beckershospitalreview.com. So listeners, if you want to really dive into this deeply, I mean, we're going to talk about it. If you really want to get into it just do a Google search or bring up beckershospitalreview.com. I'm going to give you some additional information so you can find this story. I shared it actually on LinkedIn and Facebook already because I was curious what kind of reactions that I would get. And most people said they wouldn't pay if their medical records were at risk like this. But I suspect that if the victim had a medical condition that was intensely embarrassing or might cause them to be denied insurance or a job, they might pay. What do you think?
Jake Bernstein: I think everyone's going to have their own threshold for what might cause them to pay a ransom. And I think what is causing this is, on some level the advice to not pay ransoms must be getting out there because it looks like to me that if I steal from the clinic, then I'm obviously going to try to ransom the clinic. But I can increase the chances of getting some kind of payday if I also ransom everyone whose information I have. So from the attacker's perspective, trying to get a ransom from every possible person affected is extremely rational. And I don't know how well it will work because I don't know how much health data people actually would pay to keep private.
Kip Boyle: Right. It's not clear. But the people that weighed in on this on social media said that they wouldn't give into this.
Jake Bernstein: Which that is one of those things where sometimes it's hard for people to react appropriately to a hypothetical like this. It's one thing to be like, "Oh yeah, I totally wouldn't do that." But if you actually had your information out there, you might think differently.
Kip Boyle: You might. Yeah. So let me tell you a little bit more about what led up to this. And I think as we unpack this, let's try to figure out what is this telling us about the state of affairs with cyber attacks? And see what kind of discoveries we can make. So here's what happened. So it was in November of 2019. So just a couple of months ago, Dr. Richard Davis is the owner of the Center for Facial Restoration in Miramar, Florida. And so this clinic, I think does plastic surgery, but probably not for vanity purposes, more restoration. I got the hint that it was for people who had accidents and perhaps deformities from birth or what have you. But he discovered that his server had been infected with ransomware. And when the cyber criminals reached out to them, they claimed that they had access to the patient data and that they would publicly expose the patient data if Dr. Davis did not pay the ransom. And reportedly he did not pay the ransom. Instead, he went to the FBI cyber crimes complaint website, which is at www.ic3.gov. And so he filed a complaint and then he met with the FBI who began the investigation.
Jake Bernstein: Interesting. So what PII was actually at risk? And at the risk of seeming unsympathetic, which I am not at all trying to be, this is a situation where the medical condition is obvious. So the risk of embarrassment over having gone to get an external deformity fixed is... There isn't any, it's not that type of medical condition. So given that, what PII was actually at risk?
Kip Boyle: So the doctor did a disclosure on his website and detailed what it was that they had that was compromised. So it was things like photocopies of the patient's driver's license. Or if you were a foreign national, a copy of your passport.
Jake Bernstein: So that's not good. I mean, those are things you don't want out there.
Kip Boyle: No. And then there's home address, email address, telephone number, insurance policies for most of the patients that were being treated under insurance, and credit card payment receipts.
Jake Bernstein: Okay. So we're well within the definition of personal data, you can use the old school personally identifiable information, or what would be called consumer personal information under the California Consumer Protection Act.
Kip Boyle: This is why I love having a privacy attorney on the show because I'm still walking around saying PII this and PII that. I got to get up with the times, man.
Jake Bernstein: Yeah. Stop saying PII. One of my little mini crusades is to eliminate that from the vernacular, PII is old school. It frankly has a... It actually has a dangerous connotation attached to it. And so far as historically, the definitions of PII was fairly limited. And if you continue to operate with the PII mindset, you are almost certainly going to run a foul of the new laws, which have vastly broader definitions. And I like the GDPR term personal data. That's what I generally say, but because the CCPA had to be different, you'll also hear me say consumer personal information.
Kip Boyle: Okay. Well thank you for setting me straight. I appreciate it.
Jake Bernstein: Yeah. And while we're talking about that, I think a point of interest is that the reason that PII is so obsolete at this point is that consumer personal information under CCPA also includes your device information, which is well beyond what PII used to mean.
Kip Boyle: Yeah, that's right. So that would include things like my IP address and some of the other trackings things that they do to fingerprint my computer, right? Like screen size and numbers of bits that I'm using for color and... Right?
Jake Bernstein: Yep. And if it's a phone, the SIM number, all of those different codes that identify the device, all of that. But that is getting far afield from our center for facial restoration problem.
Kip Boyle: Yeah, yeah, yeah, absolutely. All right. So now we know what kind of data was exposed and it's a little worse than we first were we're hinting at. Because it's not just medical, it's identity, it's contact, it's credit cards.
Jake Bernstein: And those insurance policy numbers, that's a big risk of Medicare fraud.
Kip Boyle: Right. And not only that, but fraud against me as an insured, because if I've got some kind of lifetime maximum for treatment and fraudulent claims are being filed under my insurance ID, and then I need to actually use my insurance, then I may not have sufficient coverage.
Jake Bernstein: No, that's completely right. It's a big deal. So how many people were affected here?
Kip Boyle: Okay, so we're talking about 3,500 former and current patients of Dr. Davis. And here's something that I think is just perfectly ironic and happens in this day and age that we live in. So Dr. Davis, in his website notification, he wrote quite a long missive about what happened, what's going on, what they're doing about it. And I just want to read a little bit to you here. So he says, "Because we store," and he calls it PII, "as an image file of the patient's intake questionnaire and not in a database obtaining contact information in order to individually notify all 3,500 patients has been painstakingly slow and labor intensive." He then goes on to say that, "Access to the data has been hindered by ongoing IT service disruptions. And so consequently, as an interim notification measure, I have posted this advisory on my website pending individual notifications." So he's going through JPEG files, 3,500 JPEG files, and individually writing out or extracting by hand I guess, contact information, which just blows my mind.
Jake Bernstein: Somebody needs to teach him about OCR.
Kip Boyle: Well, okay. So let's talk about that. So one of the reasons why I absolutely winced and why I wanted to bring it up is because you know the cyber criminals have already done it. What he's doing, they've already done it. They probably ran it through a book, like you said, optical character recognition system. And they probably have it all neatly filed away into a CRM. And so the criminals probably have a better customer relationship management system on these patients than the doctor does.
Jake Bernstein: Yeah. Now what's interesting about that would be, why did they do it that way? I'm not sure if there's an answer for that at all, but it would be interesting to know [crosstalk 00:10:38].
Kip Boyle: Why did the doctor do it that way?
Jake Bernstein: Why did the doctor store it that way? I guess we don't know.
Kip Boyle: Well, I don't know. But what I make up is Dr. Davis probably got computers back in the day, like 20 years ago, when you would stick a flatbed scanner on the desk of the receptionist and they would just scan the intake form.
Jake Bernstein: Yeah, that's probably true.
Kip Boyle: And it's a JPEG and it's probably the same scanner he used when he started that.
Jake Bernstein: And real fast, I had to do some real quick math here. And I would just like to point out to the listeners just how potentially devastating even these smaller types of breaches could be. If the center for facial restoration was in California, then this provider could be looking at a class action worth $2.6 to $5 million based solely on the $750 per patient.
Kip Boyle: Wow.
Jake Bernstein: So it does add up really fast.
Kip Boyle: Yeah. I mean, people say $750 per record. And as an individual, I think, "Okay. That's it, that's interesting." But I'm not floored by that amount. But then you do the math.
Jake Bernstein: Right. And that's pretty common. It's not that massive a figure on its own, unless the AG brings the case, then it's $7,500 per patient or per person or per record.
Kip Boyle: So times 10.
Jake Bernstein: Times 10. But frankly, what's the difference? If you're a small medical office, 2.6 million, 20.6 million... Or I guess it'd be 26 million. I'm in trouble either way.
Kip Boyle: You might be bankrupt.
Jake Bernstein: Yeah.
Kip Boyle: Right?
Jake Bernstein: Probably either way.
Kip Boyle: Is there anything in the CCPA that provides some sort of a mechanism to keep bankruptcy from happening as a result of fines? Or is that just considered to be like, "Well, that's what happens, that's what happens."
Jake Bernstein: No. Yeah, that's just what happens.
Kip Boyle: So this is kind of a corporate death sentence in a way, or could be.
Jake Bernstein: Oh yeah. Well, arguably that's what a lot of regulation is there for is to provide that absolute potential. Now of course, to go afield again very briefly, the problem with death sentences like that is that they tend to cause the corporate entity to fight to the death, which can oftentimes use up all the money. So would someone actually have to pay that? No, it's a fine line. Now I will say that's a regulatory fine line and a regulatory goal. Class action lawyers? They have no such goals. They just want the money.
Kip Boyle: They're perfectly comfortable with the doctor oxygenating off his examination tables and tongue depressors and all that stuff, right?
Jake Bernstein: I'm sure that there are lots of plaintiff's lawyers who would demand it. And depending upon the situation, that might be appropriate, it might not. But that is definitely the case.
Kip Boyle: Stories like this continue to remind me how desperately outgunned we are by the cyber criminals. You look at what they're able to do. They're technologically so much more advanced then Dr. Davis's office seems to be, and there's virtually no risk for them to doing this. They're not going to get caught by what? There's just no downside for them and we're just sitting ducks. I just continue to be impressed by that.
Jake Bernstein: Well, the cost to them is so minimal to do this, that if they get one person paying any type of ransom, it probably pays for the effort for, I don't know, thousands, tens of thousands of attempts? I couldn't even begin to guess.
Kip Boyle: It's pure business play. That's what legit businesses do is they spend money to market some kind of an offer on some kind of a product, and the price of the product is such that it at least covers the costs of the marketing campaign if they can just get a few people to buy it. And then everything after that's gravy. So they've just taken a page right out of the playbook of just standard business 101. Gosh. So one of the other takeaways that I have from this, which I think we should have realized this all along. So Dr. Davis had his server ransomwared, and that means that all his data files were encrypted, but he didn't pay the ransom. Or at least it was implied. He didn't come right out and say he didn't pay it, but it is implied. And so a lot of people have been thinking, "Well, if the data's encrypted, then nobody can see it." And I've always been thinking, "Well, the criminals can see it because they have the key." So to think that it's not a data breach when you get a ransomware attack, that's just shortsighted. What do you think?
Jake Bernstein: Yeah, ransomware attacks... So for example, this is a HIPAA violation automatically. Even if the ransom wares didn't threaten to release, HIPAA is not triggered by a data breach, it's triggered by unauthorized access. And by definition, if you can encrypt, then you can copy and steal, which means you have access. And some would argue, "Well, just because you can gain the access to encrypt doesn't mean you could successfully ex filtrate." Which might be true, but that's not how the law is written. So having your data encrypted is a loss of control in a sense. And that's what will trigger that.
Kip Boyle: Yeah, okay. So listeners, if you find yourself in a ransomware attack, you've got to also accept the fact and surface the fact that you just had an access violation. So if you're in the medical industry you've got a HIPAA violation. And even if you're not, you just have to assume that the records that were encrypted that you can't look at any more, the criminals are absolutely looking at them and trying to decide what they're going to do next with them. Anyway, I just realized too that there's a little bit of ambiguity in Dr. Davis's story, because if he had ransomware on a server and he didn't pay, then how does he have all those 3,500 intake form images that he can use to do contacts? I don't know. That's unexplained.
Jake Bernstein: He may have the paper.
Kip Boyle: He might, I don't know. It's unclear. It's absolutely unclear
Jake Bernstein: Or he simply had a backup. And so that's one of the reasons he didn't pay. He was like, "Well, I'm not going to pay, I have a backup of this."
Kip Boyle: Oh, well good for him if he did and lesson to us. But, okay. So since I have a privacy attorney on the show all the time, I want to share with you this one comment that I got on LinkedIn. And this was somebody who posted in response to the news story that I shared. And Jesse Nord, who I've never met before, but I wanted to give him a shout out here, he said, "Kip, are you aware of whether or not someone could call up prior doctors of theirs and ask them to remove social security numbers and other sensitive information?" And I thought, "Oh, that's really interesting." And so I actually responded on LinkedIn and I said, "Well, based on GDPR and CCPA coming into effect, and the fact that some providers nationwide are adhering to these requirements even though there's no state level requirements, maybe you can under those privacy laws actually get this done." But I wasn't sure. So what do you think?
Jake Bernstein: So it's all about where you live. And as of the time of recording, which is early January of 2020, then the answer is if you're in California, then yes, you have a right to have your data deleted. If you're European, then yes, you've had the right for quite some time now, for a couple of years under GDPR. But if you're anywhere else you could have a hard time doing it. There's certainly no federal US right to be forgotten. There's many states that are trying to get some of these CCPA type and GDPR type laws passed, but not a lot that have already implemented something like the right to be forgotten. So there could be a few others that I'm not remembering at the moment.
But in terms of the big ones, you're limited to being in California or in Europe. And I think one thing you could try is you can always ask. And that's one thing that I think people often forget is that these laws give you the ability to basically force the removal of your information to some degree. But if you're talking about your doctor's offices and you're not a patient there anymore, then I think that as long as you make the request and it's consistent with existing law and regulations, then it's worth a shot.
Kip Boyle: So yeah. Give it a try. Some of the customers that we're working with right now, they're operating in other states, but they're paying a lot of attention to GDPR and CCPA. And I'm thinking of one particular joint customer of ours who was setting up a method to be able to receive requests to be forgotten and to receive requests to share information that they've collected on a person. So that's what made me think that, "Well some people are already accepting the fact that this is going to be the future and that everybody's going to be able to do this." What are you seeing?
Jake Bernstein: I think that it is certainly possible that that's where we're headed. It's really interesting to me to see that Microsoft, for example, announced fairly early on, "Hey, we're just going to make CCPA applicable to everyone." Kind of like they went whole hog into GDPR, which was great. But now to extend the CCPA rights to everyone, regardless of where you live, is going above and beyond what they need to do. And I hope that other companies will follow suit. I do think that that privacy as a competitive differentiator is... It's already a big deal to a certain subset of people and I think this kind of thing will just push it even higher.
Kip Boyle: Yeah. So any last comments on this case that we've been talking about?
Jake Bernstein: Nope. I wish everyone the best of luck on that though. Hopefully they get that taken care of and locked down.
Kip Boyle: And I'm just sort of thinking, "My goodness, this is the first actual story that I've seen where the mentioned in the records are being extorted." But gosh, I've got to think this is going to keep happening, right?
Jake Bernstein: Yep. I would assume so.
Kip Boyle: Yeah. Okay, well that wraps up this episode of the Cyber Risk Management podcast. Today, we talked about a new cyber extortion tactic demanding ransom from the people who appear in stolen personal records. We'll see you next time.
Jake Bernstein: See you next time.
Speaker 3: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities