Serving the home health, home care and hospice industry since 1999.

by Tim Rowan, Editor

On November 14, someone, somewhere either clicked on a phishing email or was fooled into thinking someone on the phone was a real co-worker who needed her password. The result of this brief moment of weakness was a massive disruption in the operations of more than 100 home health agencies and hospices that use Casamba's EMR software. A tragedy like this reminds one of the otherwise well-behaved child who plays with matches one time and burns down the family house. Minor error, unimaginable consequences.

We may never know exactly how a ransomware attacker gained a foothold in the Wilmington, Massachusetts computer system originally built by HealthWyse, now a division of Casamba, but phishing by email and fake phone calls is how these criminals usually insert their malware. By initiating thousands of attempts, more often using social engineering than direct firewall attacks, they sometimes get one through...and one is all they need.

Almost back to normal

Casamba president Billie Jo Nutter assured us this week that the company will not only survive its ransomware experience but come out stronger on the other side. We spoke with her between what she described as an ongoing series of phone calls to customers. "We are calling all of our customers all the time," she told us. She continued to explain the experience and reparations:

"Our recovery process has taken longer than hoped but necessarily so, as we have remained focused on security throughout the process. Our forensic specialists were able to investigate the full nature of this incident and concluded that this matter, despite its impact on operations, did not lead to a compromise of protected health information or other personal information. As we rebuilt the various platforms, we've done so in a way that will enable us to continue to tell clients that their data is secure. We are reaching out to each of our clients to ensure they have the information they need regarding this matter, and to address any concerns with services that remain."

She also asserted that the attack did not bleed through from servers at their Massachusetts offices, "our smallest division," to Casamba's contract therapy and long term skilled nursing care servers in California. Nor did it compromise patient information stored in the Casamba cloud or on the servers of customers that store their own data locally.

"Our alert IT personnel acted quickly when they realized we had been attacked. They shut everything down immediately," Ms. Nutter told us. "When we determined it was ransomware, we engaged Charles River Associates to conduct forensics. Somehow, CRA obtained the hacker's encryption code, which meant we could start recovery without having to pay the ransom. The criminal side of the case is in the FBI's hands now and we are focused on our customers."

Casamba's recovery plan, she explained, includes retiring all of the Wilmington servers and reinstalling applications and data on new, faster servers in a secure location near the company's Agoura Hills, (Los Angeles) headquarters. She added:

"We have been thoughtful about the performance and reliability of our product and the user experience. I would like nothing more than their experience to exceed prior performance levels. The impact of moving a datacenter, servers, to a new environment, rolling out a highly complex regulatory package, and applying additional layers of security and protection proved to be a burden on performance. We have employed extensive monitoring systems and feel confident the direction we are moving in will yield better performance."

Prevention measures all could adopt

Today, three months after the incident, Casamba is able to turn its focus to prevention and the future, anxious to ensure nothing like this ever happens again. "If it was a staff person falling prey to social engineering, and not a weakness in our cybersecurity measures that unlocked the door, we had to reduce the chances that could ever happen again," Nutter said.

Casamba hired a Florida security awareness training company called "KnowBe4," under the premise it might not be enough to merely send a memo saying, "Please don't click on suspicious emails." We contacted KnowBe4 to ask about their intrusion prevention training.

KnowBe4 is a company that seems to be meeting a need. It opened with nine employees in 2011 and is now in nine countries and employs over 900. It offers online, cloud-based security software with security awareness training.

A typical engagement begins with simulated phishing to evaluate employee awareness. They set up baseline testing to find out how many employees are likely to click on a suspicious link. Online training is then customized to the needs of those individuals, with the goal of making clicks on phishing links or falling for social engineering phone calls less likely.

KnowBe4's training content is delivered online, in 30-sec to 45-minute videos. One of the company's episodic series, Season 1 of its "Inside Man" series, won an award last year at the Cannes film festival in the corporate films category. They have also been recognized by Gartner. A company spokesperson explained that they produce over one thousand types of content "because no two people learn the same way, and company cultures are different in tone and style." (

Casamba president Nutter concluded our visit with the prediction that the company's home health and hospice division will survive this episode and emerge stronger. She is also confident that longtime customers will remain loyal because of the way the company has handled communications and offered to work with them to get through long periods when they were unable to produce claims.


©2020 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Tim Rowan's Home Care Technology Report. One copy may be printed for personal use; further reproduction by permission only.