Full Report
Cochise Eye & Laser, an Arizona-based optometrist, has suffered a ransomware attack.
Analysis Summary
# Incident Report: Cochise Eye & Laser Ransomware Attack
## Executive Summary
Cochise Eye & Laser, an Arizona-based optometrist, suffered a ransomware attack targeting their patient scheduling and billing software. The primary impact was the encryption (and in some cases, deletion) of essential operational data, forcing the practice to revert to manual paper-based record-keeping. While the attackers employed double extortion tactics, evidence only suggested data encryption, with no confirmed exfiltration at the time of the statement.
## Incident Details
- Discovery Date: Undisclosed (Likely coincides with the attack incident date)
- Incident Date: On or before March 8, 2021 (Date of public report)
- Affected Organization: Cochise Eye & Laser
- Sector: Healthcare (Optometry/Ophthalmology)
- Geography: Arizona, USA
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Unknown (Implied through a successful ransomware deployment affecting core business software)
- Details: Threat actor targeted the optometrist’s patient scheduling and billing software.
### Lateral Movement
- Details: Not specified, but the attack resulted in the encryption/deletion of data within the core operational systems.
### Data Exfiltration/Impact
- Details: The threat actor encrypted patient data and, in some cases, deleted it, rendering the scheduling and billing software inaccessible. The affected data included names, dates of birth, addresses, phone numbers, and in some instances, Social Security Numbers.
### Detection & Response
- Details: The incident became publicly known via a breach statement released by Cochise Eye & Laser. Response included initiating data recovery efforts and temporarily reverting all scheduling and billing operations to manual processes (paper, pens, and charts).
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Affected core scheduling and billing systems.
- Collection: Sensitive customer records were seized prior to encryption.
- Exfiltration: Evidence suggested only data encryption/deletion; no evidence of exfiltration was reported initially, despite the double extortion warning.
- Impact: Inability to access operational data, rendering scheduling and billing systems unusable and reverting operations to manual processes.
## Impact Assessment
- Financial: Not disclosed, but implied costs related to recovery and operational downtime.
- Data Breach: Sensitive customer records including Names, Dates of Birth, Addresses, Phone Numbers, and SSNs (in some cases).
- Operational: Significant disruption; the practice had to revert "several decades" by using paper charts for scheduling.
- Reputational: Potential impact due to the exposure of patient PII/PHI.
## Indicators of Compromise
- *Note: No specific IOCs (IPs, domains, hashes) were provided in the source text.*
- Behavioral indicators: Successful deployment of ransomware leading to data encryption/deletion within critical business software.
## Response Actions
- Containment: Not detailed, but necessary to halt further encryption/damage.
- Eradication: Not detailed.
- Recovery: Data recovery efforts were underway; contingent operations established using paper records.
## Lessons Learned
- Reliance on legacy or vulnerable operational software (scheduling/billing) provides a significant target for ransomware actors.
- The use of double extortion tactics creates high pressure on victims, even when data exfiltration is unproven.
- A significant operational dependency on a single system can lead to catastrophic downtime if that system is compromised.
## Recommendations
- Implement robust, segregated, and tested backups for all mission-critical systems (scheduling/billing) to ensure rapid recovery without reliance on paying the ransom.
- Review and segment access to systems containing PII/SSNs to limit the blast radius of potential ransomware deployment.
- Enhance security monitoring around access to and modification of patient management software.