A US hospital has admitted suffering a mysterious malware attack that grabbed screenshots containing the personal data of 5,400 patients from hospital PCs before hiding them in an encrypted folder for probable transmission to criminals.

In a statement, the small Valley View Hospital in Glenwood Springs Colorado said that it had discovered the attack in January 2014, after which a third-party forensics firm identified the malware as a screen grabber that stored the data in an encrypted cache.

Each of the 5,400 patients whose details has been accessed was allotted a sub-folder, inside of which were grabs revealing different amounts of personal data including addresses, dates of birth, social security numbers, credit card data, patient numbers and discharge dates, the hospital said.

No medical data was included and it was not certain that these files had been transmitted beyond the network but that this folder would have been externally accessible. The attack appeared to have dated back to September 2013.

Given the encryption used it is not clear how the forensics team accessed the contents of the folder but it is possible they found a key or keys used to encrypt it.  

“We apologize for any inconvenience or concern that this may cause our patients, employees and their families,” said Valley View Hospital Association chief executive, Gary Brewer.

“We take our responsibility to protect patient information very seriously. We have responded to this situation as quickly and comprehensively as possible, and we continue to monitor progress as we take steps to inform and support those potentially affected by this incident.”

The Hospital was mailing breach notification advice to affected patients and had upgraded its security systems, he said.

The hospital didn’t reveal which type of malware was involved in the attack but some form of re-purposed bank Trojan such as Citadel is a possibility. The giveaway is probably the fact that the malware reportedly encrypted the files it had stolen in a dedicated folder, which suggests something more along the lines of Carberb, a common multi-purpose Trojan that appeared in 2012.

If Carberp or a similar Trojan is involved, that significantly raises the chances that the data the hospital discovered was removed by the criminals; encryption would have happened prior to this.  

The attack bears some similarities to one on a hospital in Indiana in 2012, an incident in which malware attempted to steal sensitive forms data.