Norfolk General Hospital Data Breach (2015)

The website of an Ontario hospital may have infected the computers of patients and staff with ransomware planted on the site during a hack attack, the internet security company Malwarebytes warns. Norfolk General Hospital, located in Simcoe, Ont., confirms its website was hacked by cybercriminals, but denies that visitors were ever at risk. The attack appears to be part of a trend of cybercriminals targeting hospitals, including one on the Ottawa Hospital in March and another in February that hit the Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom to have its systems restored. Jrme Segura, a senior security researcher with Malwarebytes, reported in a blog post this week that in late February, Norfolk General Hospital's website was observed pushing ransomware called Teslacrypt to computers that visited the website. Teslacrypt locks your files and makes them inaccessible using encryption, then demands a ransom of $500 US to restore access. Drive-by download The file was served in a "drive-by download" attack, Segura said, meaning you don't have to click on anything on the page. "You just go to the site that's compromised, and within a few seconds, malware is downloaded onto your computer and that's it," he told CBC News. In this case, visitors to the site would have included patients, their families and staff who accessed a staff portal with schedules and an internal directory via the website. Visiting Windows computers would have been vulnerable if they were running Internet Explorer or older versions of the Adobe Flash or Microsoft Silverlight players. Segura said hospitals are in many ways the "perfect victim" for cyberattacks. "Their systems are out of date, they have a lot of confidential information and patient files. If those get locked up, they can't just ignore it." Segura said Malwarebytes detected an attack from the Norfolk General Hospital website via a user of Malwarebytes anti-exploit software. The free software detects and blocks web-based attacks, then sends a report back to Malwarebytes. The attack caught Segura's eye because he's based in Canada and the attack came from a site with a .ca domain name.