The Most Devastating Healthcare Ransomware Attacks in 2019

Ransomware is malicious malware that hackers use to lock computer systems, block access, and demand payment from their victims to release it. 

Targets of ransomware include…

  • Hospitals

  • Healthcare institutions

  • School districts

  • Municipalities

These attacks have impacted 621 organizations in 2019 as of the end of September.

This year, organizations have seen a large increase in ransomware attacks. From Q4 of 2018 to Q1 of 2019, ransomware attacks increased by 195%. In Q2 of this year, the payment increased by 184% from $12,762 to $36,295. 

These attacks will likely continue because they’re easy money for hackers. But not all organizations pay the ransom, it depends on what damaging it is to the victim.

But out of all targets, health centers fall victim to ransomware attacks most often.

Here’s a list of healthcare organizations affected by ransomware attacks so far in 2019. 

DCH Health Systems - Alabama (October 1)

A ransomware attack on DCH Health Systems limited access to their IT infrastructure. The attackers used a variant of the Ryuk ransomware to maliciously encrypt targeted files.

The hospital system had to turn away new patients due to safety concerns, but they were still able to treat currently admitted patients.

They asked that patients call before coming in for a scheduled appointment since the hospital couldn’t access patient lists to call to reschedule.

On October 5th, DCH Health Systems announced they purchased the decryption key to unlock the data. 

 
DecryptionKey_102019.png
 

Campbell County Health - Wyoming (September 20)

Campbell County Health (CCH) faced a ransomware attack that affected all 1,500 of their computers.

The organization denied new patient admission and halted some services following the attack. CCH also had to cancel many already scheduled exams and procedures. They advised patients to call them if they had a planned appointment before the attack.

The hospital worked with other facilities to transfer patients if CCH couldn’t provide the care that they needed. 

There was no evidence of accessed or misused patient data. On October 3, CCH reported that some services were still unavailable but they were making great progress in getting back to full function.

As of October 7th, the medical group’s clinics, lab, and radiology are fully functioning. But their respiratory therapy and sleep center divisions still remain closed.

PerCSoft - Wisconsin (August 29)

PerCSoft is the cloud management provider for DDS Safe, an online data backup service.

In August, an attack on PerCSoft led to encrypted dental records for approximately 400 practices that rely on DDS Safe. Both PerCSoft and DDR were able to get a decryptor to regain access to client files. 

On October 4, DDR announced the completion of the DDS Safe attack investigation. It appeared that the attack was a simple lock-out with no compromised data. 

Wood Ranch Medical - California (August 10)

One of the most devastating ransomware attacks in 2019 happened to Wood Ranch Medical (WRM). It was so severe that the organization had to close its doors.

Attackers locked the practice's system containing patient records, making them unrecoverable. The medical center believed the attacker only wanted money and not their data. 

WRM was unable to restore the patient data stored in their computer systems due to attack damage. As a result, the practice announced in September that they will officially close their doors on December 17, 2019.

Between September 18th and the closing date, the system worked with patients to help find another practitioner.

Eye Care Associates - Ohio (July 28)

For over two weeks, one of the largest ophthalmology and optometry practices in the eastern Ohio region couldn't access their computer system.

Eye Care Associates employees walked into work on the morning of July 28th to find that their system was maliciously locked. 

The attack affected every computer in the practice’s system. The only thing employees could do to get back online was to respond to the attacker. 

Instead, they decided not to give in. The team worked with their backup storage service to restore encrypted files. The requested ransom remains unknown. 

The attack halted all appointment bookings, forcing the practice to rely on paper records during patient visits. 

Premier Family Medical - Utah (July 8)

320,000 patients received notifications that their data was potentially compromised after Premier Family Medical faced a ransomware attack.

The hack locked out certain, specific data within the practice’s system on July 8th. When noticed, law enforcement was immediately notified.

The notification sent out stated, “there was no reason to believe that hackers accessed or stole patient information.”

Premier involved technical consultants to help regain access to their data since the hack.

Grays Harbor Community Hospital and Harbor Medical Group - Washington (June 15)

While people prepared for the hot sun and sandy beaches, about 85,000 others received notification about a ransomware attack.

Grays Harbor Community Health Hospital (GHCH) and Harbor Medical Group (HMG) notified patients about an in June 2019. 

The hackers demanded $1 million in payment. GHCH and HMG turned to the FBI, who advised that they shouldn’t pay the ransom.

In this case, paying the ransom didn’t guarantee to restore access to the information. Thankfully, the information was not sent outside of the system database during the siege.

GHCH and HMG were able to continue care during and following the attack. They used backup procedures to recover much of patient health care information.

N.E.O. Urology - Ohio (June 10)

Hackers requested $75,000 in bitcoin to unlock the medical files during an attack that held N.E.O. Urology’s computer system hostage.  

NEO Urology stated that the hackers went so deep into their system, that it took two days to access it. The practice reported to police that loss in revenue during downtime between $30,000 - $50,000 per day.

In this case, N.E.O. Urology gave into the criminals and paid to have their data unlocked using a third-party.

Park DuValle Community Health Center - Kentucky (June 7)

The June ransomware attack on Park DuValle Community Health Center was their second attack this year. After the first attack in April, the practice used backups to restore data and rebuild the computer system. 

The medical record system of around 20,000 patient records was inaccessible, as well as the appointment scheduling system. The locked-down computers lasted about three weeks after the April attack, but more than seven weeks after the most recent. 

The practice was unable to use backups and rebuild the system after the attack in June. Workers recorded information on paper and relied on self-reports from patients about past treatments. 

The health center had no choice but to pay the ransom of $70,000, but the true cost of the attack totaled more than $1 million. Officials say patient data wasn't breached, stolen, or viewed in either instance.

Brookside ENT and Hearing Center - Michigan (March 2019)

Brookside ENT and Hearing Center permanently closed after the damage from a ransomware attack.

The doctor’s office refused to pay the ransom of $6,500 for the code to unlock their files. They didn’t pay because there was no guarantee the code would work. They also feared that the hackers would ask for more money later.

The hackers didn't copy or share any information and erased all files. It’s impossible for new doctors to know all the details of a patient’s previous health information without medical records. Some of the affected patients just finished surgery and had no way to follow up.

The two doctors that ran the practice decided to retire early rather than rebuild from the ground up.

Brookside ENT closed it’s doors just one month after the attack on April 30th, 2019.

Columbia Surgical Specialists - Washington (January 9)

Nine days after celebrating the New Year, Columbia Surgical Specialists paid $14,000 after an attack. It was clear that they wouldn’t be able to access patient information unless they paid the fee. 

The attack affected up to 40,000 patients’ data, but it was unlikely that hackers accessed any PHI.

Conclusion

These attacks are costly due to downtime, so some organizations don’t want to pay for a decryption key too.

But restoring information from backup systems may be time-consuming or even impossible. This leaves your organization with no choice but to either pay or shutdown. 

Paying has its advantages and disadvantages. It reduces disruption and can cost less than downtime. Insurance may even help cover costs from the attack. But paying does not guarantee you'll receive a decryption key or one that works.

In the first half of 2019, 96% of companies that paid ransom received a decryption tool that worked. But victims who paid for a decryption key in Q2 of 2019 only recovered 92% of data.

Hackers could also target the same place multiple times since they know they’ll get paid.

Even the FBI and law enforcement have advised not paying a ransom. Doing so gives an incentive for hackers to continue these attacks. 

Hacking healthcare companies impacts both everyday operations and patients. Many attacks limit all access to critical health exams and procedures.  Sometimes they can even infect certain medical devices.

If your organization experiences a ransomware attack, every decision you make counts.

It's time to protect your bottom line.