Hospital hit by screen-grab Trojan that attempted to steal 5,400 patient records

Multi-purpose Trojan the most likely culprit

A US hospital has admitted suffering a mysterious malware attack that grabbed screenshots containing the personal data of 5,400 patients from hospital PCs before hiding them in an encrypted folder for probable transmission to criminals.

In a statement, the small Valley View Hospital in Glenwood Springs Colorado said that it had discovered the attack in January 2014, after which a third-party forensics firm identified the malware as a screen grabber that stored the data in an encrypted cache.

Each of the 5,400 patients whose details has been accessed was allotted a sub-folder, inside of which were grabs revealing different amounts of personal data including addresses, dates of birth, social security numbers, credit card data, patient numbers and discharge dates, the hospital said.

No medical data was included and it was not certain that these files had been transmitted beyond the network but that this folder would have been externally accessible. The attack appeared to have dated back to September 2013.

Given the encryption used it is not clear how the forensics team accessed the contents of the folder but it is possible they found a key or keys used to encrypt it.

"We apologize for any inconvenience or concern that this may cause our patients, employees and their families," said Valley View Hospital Association chief executive, Gary Brewer.

"We take our responsibility to protect patient information very seriously. We have responded to this situation as quickly and comprehensively as possible, and we continue to monitor progress as we take steps to inform and support those potentially affected by this incident."

The Hospital was mailing breach notification advice to affected patients and had upgraded its security systems, he said.

The hospital didn't reveal which type of malware was involved in the attack but some form of re-purposed bank Trojan such as Citadel is a possibility. The giveaway is probably the fact that the malware reportedly encrypted the files it had stolen in a dedicated folder, which suggests something more along the lines of Carberb, a common multi-purpose Trojan that appeared in 2012.

If Carberp or a similar Trojan is involved, that significantly raises the chances that the data the hospital discovered was removed by the criminals; encryption would have happened prior to this.

The attack bears some similarities to one on a hospital in Indiana in 2012, an incident in which malware attempted to steal sensitive forms data.

Join the CSO newsletter!

Error: Please check your email address.

Tags Valley View HospitalPersonal Techsecurity

More about Citadel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts