Skip to content ↓ | Skip to navigation ↓

The National Capital Poison Center (NCPC) in Washington, DC has published notice of a ransomware attack it suffered back in 2017.

According to the news release (PDF), the critical health resource detected a ransomware infection on its systems in October 2017. It then launched an investigation into the matter with the assistance of a third-party forensic expert. Here’s what the NCPC has learned so far:

While this investigation is ongoing, on November 27, 2017, NCPC determined that unauthorized access to a database server occurred on October 21, 2017, and that unauthorized access to the data stored on that server cannot be ruled out. The possibly affected database contains information provided during calls made to or from the center between January 1997 and October 21, 2017.

The NCPC goes on to clarify that the affected database did not contain Social Security Numbers, passport data, or any type of financial information. Instead it consisted of personal information collected during call center calls like a person’s name, date of birth, address, phone number, email address, and medical recommendations discussed over the phone.

At this time, it’s unclear what ransomware struck the NCPC, whether it paid the ransom or restored from backups, and how many people the attack might have affected.

Dr. Toby Litovitz, Executive and Medical Director of NCPC, urges those concerned by the possible exposure of their personal information to reach out to the Center:

NCPC takes the security of information stored on our systems very seriously, and we understand this incident may cause concern or inconvenience. We continue to work with third-party forensic investigators to ensure the security of our systems, and encourage people to contact us at 877-218-3009 (U.S. and Canada callers) or 814-201-3664 (international callers) with any questions or concerns.

The NCPC currently lacks complete contact information for at least some of the records in the affected database. As a result, it’s posting the ransomware notice on its homepage ( along with the websites of state media outlets and publications. It’s also urging those who might be affected to place a fraud alert or credit freeze on their credit reports with TransUnion, Experian, Equifax, and Innovis.

In the meantime, organizations can protect themselves against ransomware attacks by implementing foundational security measures that, among other things, protect data via encryption, limit what individuals can access sensitive information, and ensure an organization can recover from a data corruption incident using data backups. Learn more about these controls and how they pair with Tripwire’s solutions here.

News of this attack follows less than three months after Arkansas Oral & Facial Surgery Center notified 128,000 patients of a ransomware attack that might have exposed their information.