Case Studies of Ransomware in the Healthcare Sector
Jeannine LeCompte, Compliance Research Specialist
At least two healthcare facilities have been forced to close their doors in the past year, while dozens more have paid large ransoms, or suffered near catastrophic delays, due to an ever-increasing number of ransomware attacks.
In Simi Valley, California, a healthcare clinic was forced to close its doors as of mid-December 2019 due to a ransomware attack that resulted in its patients’ personal healthcare information being encrypted. A statement written by the clinic’s owners said that the damage to their records was such that recovery was impossible, and that the facility would have to close permanently.
In April 2019, an ENT and hearing center in Michigan also permanently closed its doors following an attack which encrypted patient records, appointment schedules, and payment information. The owners refused to pay a $6,500 ransom, and the attackers then deleted all the files.
Other attacks have brought facilities to the brink of collapse.
In April 2019, a Massachusetts medical billing services company was hit by a ransomware attack which exposed the records of 206,695 patients. The ransomware used in that attack was deployed seven months after the attacker had first gained access to the company’s systems.
That same month, a large medical group headquartered in California was hit with an attack that exposed the Personal Health Information (PHI) of 197,661 patients.
Other recent ransomware attacks include:
– An Ohio-based urology practice was locked out of all computers and patient records, and eventually paid a $75,000 ransom to unlock the encryption.
– An assisted living communities’ software provider had its server infrastructure—serving more than 60 facilities—temporarily suspended in an attack. No ransom was paid and the service recovered using same-day backups.
– A California-based community clinics healthcare provider had its IT systems closed down in a June 2019 attack. An unspecified amount was paid in ransom, and systems were eventually restored.
– An Illinois-based company providing vision centers and eye surgery experienced the encryption of patient names, dates of birth, addresses, health insurance information, and Social Security numbers. The files were eventually restored, with considerable disruption.
– A community health center in Kentucky paid $70,000 in ransom after suffering a seven-week halt in business following ransomware which rendered its medical record system and appointment scheduling platform inaccessible. The attack cost the company around $1 million in total damages.
– Another community health center in Kentucky paid $73,000 in ransom for the keys to decrypt patient and system files.
– A large Louisiana healthcare provider had 116,262 PHI records encrypted, along with a database used by its orthopedics center.
Another form of ransomware is being delivered by what are known as “Advanced Persistent Threats” (APT) and “Zero Day Exploits.” APTs are a form of the better-known “brute force” hacking attempts, where a hacker or program continuously attempts to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations. A “Zero Day” attack is one which takes advantage of a previously unknown hardware, firmware, or software vulnerability. APTs and Zero Day threats are dangerous enough by themselves, but an APT using a Zero Day Exploit can be extremely serious.
One of the best-known examples is the EternalBlue exploit, which targeted vulnerabilities in several of Microsoft’s Windows operating systems. Soon after the EternalBlue exploit became publicly known, the WannaCry ransomware was released and began spreading, eventually infecting hundreds of thousands of computers around the world, inflicting damages estimated to be in the billions of dollars.