ALBANY — A cyberattack on Albany accounting firm BST’s computers likely was the work of the so-called Maze ransomware ring. BST was among 25 victims listed by the cybercrime ring on its website, according to a Jan. 29 article by technology website Ars Technica.
BST was the target of a viral attack in early December, it said in letters that began arriving Tuesday in the mailboxes of numerous patients of Community Care Physicians whose information may have been taken. BST told them the attack may have exposed protected health information, date of birth and insurance coverage.
Social Security numbers, credit card information and medical records were not affected, BST said. It is offering patients whose records were exposed one year of identity monitoring with Equifax.
The likely ransomware attack, in which hackers freeze access to an organization’s computers until it pays a ransom in untraceable bitcoin, is one of a growing number of attacks in the Capital Region. Victims have included the Albany County Airport Authority to the city of Albany.
Maze and other ransomware rings have begun to go public, shaming businesses and governments by publishing a portion of what they’ve accessed from the victims’ computers to prove they really have gained access. BST hadn’t publicly disclosed its security breach when Maze named it online.
“The lack of disclosure obviously means that customers/clients/vendors/partners do not know that their data is now in the hands of cybercriminals and can be downloaded by anybody with an Internet connection,” Bret Callow, a threat analyst with software company Emsisoft, told Ars. “And that means they do not know that they should set up credit monitoring, notify their financial institution, be on the lookout for scams or spear phishing attempts.”
Worse, the fact that the information is posted on a publicly accessible website puts victims at risk of others stealing the personal data.
“It’s a treasure trove of information,” Callow told the Times Union on Wednesday.
One of the items posted was a check to BST from The Bank of New York Mellon.
BST said the computer virus was active between Dec. 4 and Dec. 7, 2019, and that BST first learned of the infection on Dec. 7. BST said the attack blocked access to its files.
“We want to reassure you that the information included isn’t the most sensitive data, such as financial information, social security numbers, or medical diagnoses,” said Mackensie Greene, Community Care’s corporate compliance officer. “Instead, the information that may have been exposed includes name, date of birth, billing codes, insurance description (“self-pay,” or “commercial,” not insurance ID numbers), and medical record number. A medical record number is a randomly assigned internal number used by CCP and doesn’t tie to any other personal information.
“We have a longstanding relationship with BST and we have been working very closely with them to monitor this unfortunate and isolated event,” Greene added. “We feel very confident that our patients’ data is secure with either company.”
Greene added that a list of frequently asked questions about the incident has been posted at www.communitycare.com.
BST issued its own statement on the incident:
“BST provided notification to individuals out of an abundance of caution, including furnishing those who may have been impacted with identity monitoring at no cost. We deeply regret any inconvenience to those who may have been affected,” BST said in a statement. “Unfortunately, data security incidents have become increasingly common and are impacting organizations both large and small, public and private. We are committed to ensuring the security of all data under our care, and encourage all to remain vigilant about the growing occurrence of cyber threats.”
The letter to patients didn’t indicate how many may have been affected, whether it was a ransomware attack in which the attacker demands a payment in return for unlocking files, and if so, how much was sought and whether it was paid. It also didn’t say whether the virus spread to Community Care’s own computers. And a spokesman for BST, Mark Bardack of Ed Lewi Associates, declined to address those questions.
However, the online posting by Maze suggests it likely was a ransomware attack. BST, in its notice about the event, said that some of its other clients may also have been affected by the breach, although it didn’t say how many.
BST is the Capital Region’s fifth-largest accounting firm ranked by number of certified public accountants, with 40 on its staff, according to the Albany Business Review’s Book of Lists.
Community Care Physicians, meanwhile, is the third-largest physician practice group in the Capital Region, according to the Book of Lists, with 275 local physicians and nearly 1.49 million patient visits in 2018.
And it didn’t say whether law enforcement agencies had been notified. A spokeswoman for the FBI in Albany said it wouldn’t “confirm or deny” an investigation.
Callow said that, so far, few offenders have been punished. “In the U.S., the conviction rate for cybercrime is about 0.5%,” he said. “These groups are making billions in some cases.”
And he questioned why BST took so long to notify victims.
Several other attacks on computer systems have occurred in the Capital Region in recent months.
Earlier: Ransomware attacks airport authority’s servers
Colonie’s computer system down after cyber attack
Albany’s repair cost after ransomware attack: $300,000
The town of Colonie experienced a ransomware attack in January, while the Albany County Airport Authority’s computer services provider, LogicalNet, was attacked in late December. The virus spread to the airport’s computers. The airport authority ultimately paid $25,000 of the ransom, which it described as “under six figures,” while its insurance company covered the rest. The airport authority plans to seek reimbursement from LogicalNet, whose contract with the authority had included computer security.
Ars Technica reported another ransomware ring, REvil/Sodinokibi, also has threatened to go public with data if victims don’t pay. One recent victim was currency exchange and travelers’ financial services provider Travelex. That ring may also have been behind the Albany County Airport Authority attack. Airport operations weren’t affected, and the attack didn’t spread to other systems operated by the Federal Aviation Administration, the airlines, or the Transportation Security Administration.
The city of Albany’s computer system suffered a ransomware attack last March, and the city paid $300,000 for new computers and other expenses. The city did not pay a ransom.
Colonie expects to have its computers back in operation this month, but it is unclear if the town paid a ransom.