Full Report
Cochise Eye & Laser, an Arizona-based optometrist, has suffered a ransomware attack.
Analysis Summary
# Incident Report: Cochise Eye & Laser Ransomware Attack
## Executive Summary
Cochise Eye & Laser, an Arizona-based optometrist, suffered a ransomware attack targeting their patient scheduling and billing software. The attack resulted in the encryption and, in some cases, the deletion of critical operational data, severely disrupting business processes. The organization responded by reverting to manual paper-based operations while data recovery efforts were underway.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implied shortly before the public announcement.
- **Incident Date:** March 2021 (based on publication date March 8, 2021, reporting the incident).
- **Affected Organization:** Cochise Eye & Laser
- **Sector:** Healthcare (Optometry/Ophthalmology)
- **Geography:** Arizona, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Exploitation of the patient scheduling and billing software.
- **Details:** Attackers gained access, primarily focusing on systems housing patient records.
### Lateral Movement
- **Details:** Attackers manipulated data within the compromised software, leading to encryption and deletion of scheduling data.
### Data Exfiltration/Impact
- **Details:** Patient data (Names, DOBs, addresses, phone numbers, and SSNs in some cases) was encrypted, and in some cases, deleted, making the scheduling system inaccessible. The attacker utilized double extortion tactics, although Cochise only confirmed evidence of encryption/deletion, not exfiltration.
### Detection & Response
- **Details:** The organization confirmed the incident via a public breach statement.
- **Response actions taken:** Initiated data recovery efforts and reverted entirely to paper-based operations (paper, pens, and charts) for scheduling.
## Attack Methodology
- **Initial Access:** Exploitation/Compromise of patient scheduling and billing software.
- **Persistence:** Not detailed, but likely involved maintaining access long enough to execute the encryption payload.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Likely focused on identifying systems housing sensitive patient data within the target environment.
- **Lateral Movement:** Data manipulation within the billing/scheduling system environment.
- **Collection:** Prior to encryption, the threat actor gained access to sensitive patient information.
- **Exfiltration:** Threat actor claimed the intent to leak data (double extortion), but the organization reported "no evidence that the data was taken, only that it was encrypted, and in some cases deleted."
- **Impact:** Data encryption and deletion, leading to severe operational disruption.
## Impact Assessment
- **Financial:** Not stated, but significant operational downtime and recovery costs incurred.
- **Data Breach:** Sensitive patient records compromised, including Names, Dates of Birth, Addresses, Phone Numbers, and potentially Social Security Numbers.
- **Operational:** Severe disruption; the organization was functionally pushed back "several decades," forced to rely on paper charts for scheduling and billing.
- **Reputational:** Public reporting of the breach via a breach statement.
## Indicators of Compromise
- *(No specific IOCs were detailed in the provided text.)*
- **Behavioral indicators:** Unauthorized encryption and deletion of records within the billing/scheduling database.
## Response Actions
- **Containment measures:** Unknown, but necessary to halt further encryption/damage.
- **Eradication steps:** Not detailed, pending recovery.
- **Recovery actions:** Underway data recovery efforts; temporary manual workaround implemented using paper and charts.
## Lessons Learned
- The dependence on a single, potentially vulnerable system (patient scheduling/billing software) for critical operations created a single point of failure.
- The use of paper backups/contingency plans, while archaic, proved functionally necessary to maintain minimal operations immediately post-incident.
## Recommendations
- Implement robust, immutable, and segmented backups for all critical systems, especially scheduling and billing software.
- Segment network environments to limit the blast radius of malware impacting core business applications.
- Perform immediate application security reviews and patching on all third-party software interfaces handling sensitive patient data (PHI/PII).