Emory Healthcare hit by ransomware, data of over 200,000 patients hacked

The organization was infected with Harak1r1 the 0.2 Bitcoin Ransomware, which completely wipes data from the hacked database instead of traditional encryption.
By Jessica Davis
05:44 PM

Atlanta-based Emory Healthcare was hacked by the Harak1r1 the 0.2 Bitcoin Ransomware, MacKeeper security researcher Chris Vickery discovered on Jan. 3.

On Dec. 30, MacKeeper Security Research Center discovered a misconfigured MongoDB database that contained data from over 200,000 patients and other sensitive information. On Jan. 3, the firm confirmed this data was linked to Emory Brain Health Center.

[See them all: 10 stubborn cybersecurity myths, busted]

It appeared Harak1r1 wiped a database of the Brain Health Center and blocked access to these records, Vickery said. The database is gone and now boasts a ransomware message asking for .2 bitcoin.

The data appeared to be orthopedic and clinic workflow records. All files included names and addresses. Some included emails, birthdates, medical record numbers and cellphone numbers. The timestamps of the files are dated from 2015 - 2016.

These types of files are often used for medical fraud and forging medical bills.

[Also: The biggest healthcare breaches of 2017 (so far)]

Vickery could not determine if the site was under the control of Emory or a third-party business associate.

Emory’s website, however, has not posted about the ransomware attack. Healthcare IT News has reached out to the organization for comment.

The breach is part of a new Harak1r1 campaign that attacks misconfigured MongoDB databases.

The virus wipes the hacked databases clean - instead of encrypting files. It then takes over databases that are left online without an admin password, BleepingComputer’s Security Researcher Catalin Cimpanu said. Researchers first saw the virus in the wild on on Dec. 21.

The attacker, Catalin explained, appears to have performed a mass-scan to find these unprotected MongoDB databases. After, the hacker accessed the sites and held the data for ransom. 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.