The American Dental Association accidentally sent malware-infected USB drives to thousands of dental offices nationwide. The USBs, shaped like business cards, were meant to provide offices with new billing codes for insurance purposes, according to Krebs on Security.
The malware was first discovered when “Mike” from Pittsburgh received a USB in the mail and became suspicious of its integrity. Instead of plugging it in and using it straightaway (as most people would do) he plugged it in and looked at the code within one of the files on the USB. He discovered the code tries to open a web page that distributes malware. The specific domain, once visited, allows cyber criminals to install malware on the victim’s device and take control of the entire Windows system.
The ADA is aware of its mistake and has sent a message to those who received the USBs. In their message, they advise members who have yet to use the USB to simply throw it away. For those who have used it, ADA mentions that any antivirus program would detect the malware and prevent it from opening. However, this is untrue as only some of the antivirus programs available can detect the malware.
The message also mentions that dental offices can continue to use the USBs that appear to work correctly (bad idea). They close by apologizing for “any inconvenience.”
Naturally, dentists are upset. Not only has the ADA made a huge mistake in mailing out USBs when they could have sent the billing codes via a downloadable link, but they continue to misinform their members.
An investigation is currently underway. The ADA said the USBs were manufactured in China by a subcontractor of an ADA vendor. 37,000 devices were distributed starting in late 2015. Investigators theorize that one of the machines used to create the USBs was infected with malware and therefore transferred the malware to the USBs.
Bob Ertl of cloud security firm Accellion told Healthcare IT News “Of course, malware-infected USB drives are nothing new – "which is why the ADA's decision to use them is so disconcerting.”
He added, “Like sharing passwords, connecting untested thumb drives to information systems containing sensitive data like personal health information violates the most fundamental rules of InfoSec. The healthcare industry – which includes dentistry – is fraught with data breaches."