HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Close Call but VA Hospital Thwarts Attempted Cyberattack

A VA hospital has contained a cyberattack that could potentially have exposed the records of 100,000 patients and 5,000 hospital staff. The security breach is believed to have been caused by a member of the hospital staff responding to a phishing campaign.

Trojan Virus Discovered on Computer Drive Shared by 4,000 Employees


The James A. Haley VA Medical Center (JAHMC) had a particularly close call last week when a virus was discovered to have infected a number of the hospital’s files. Only the fast action of the hospital’s IT staff prevented the exposure of over 100,000 patient and employee records.

The virus was discovered on a JAHMC computer drive used by 4,000 hospital employees. The Trojan is believed to have been installed as a result of a member of staff responding to a phishing campaign.

Hackers send out emails containing links to malware and virus-infected websites, which if visited, download malicious software onto computers and shared drives. Emails containing virus-infected attachments are also sent to healthcare employees. Should those attachments be opened, viruses and malware are installed, potentially giving hackers access to the entire computer network.

Please see the HIPAA Journal Privacy Policy

Phishing emails are often very convincing, and contain apparently legitimate requests for information or valid reasons for visiting an infected website. It is all too easy for the unwary to be fooled into opening those attachments or clicking on a link.

In this case, a member of staff fell for a phishing campaign and a virus was installed on a shared drive. Fortunately, a data security system was in place that rapidly identified changes that had been made to files stored on the drive. Once the virus was discovered, the VA shut down access to the shared drive to allow its IT staff to remove the malicious software. That process proved to be a complex task, which required access to the shared drive to be shut down for five days while security experts investigated the attack and assessed the damage caused.

Anti-Virus Protections Rapidly Identified the Cyberattack


A statement issued by JAHMC spokeswoman, Karen Collins, explained that “On Friday, mandatory, anti-virus protections that are in place, detected and deleted a Trojan virus on the “S drive” (which is a shared drive on a server for employees to store documents and other files).” The virus had infected a number of documents on the server, which triggered the hospital’s data security alarms.

The statement went on to explain that “As a result, files on that drive were made read-only while internal scanning operations were performed to fully remediate the virus and ensure the integrity of the system.”

This was a particularly close call, but Collins said, “According to our Information Security Officials, there was no breach of data and patient care operations were not affected.”

The Trojan virus was a form of ransomware, which once installed, encrypts files and make them unreadable. The only way those files to be recovered is by paying a ransom to the hacker responsible for the attack. In theory, if that ransom is paid, the hacker then decrypts the files. There is, of course, no guarantee that the files will be unlocked even if the ransom is paid.

Collins said that the infected files have now been restored from a backup of the drive; however, oftentimes these attacks result in data being lost. It is not clear at this stage whether the hospital has lost any data, but Collins did confirm thatwhoever sent the virus to the Haley system has no further access.” The hospital did not pay any ransom to the hacker responsible for the attack.

VA Under Constant Attack


The Department of Veteran Affairs is no stranger to cyberattacks; VA hospitals are frequently targeted by hackers who are lured by the vast quantities of Protected Health Information stored on its hospital servers, computers and networked storage devices.

Each month, the VA produces a data security report for congress which details the month’s successes and failures to keep veterans’ data secure. Last month, the VA released its Information Security Monthly Activity Report for July. That report indicated the VA had blocked or prevented close to 1.2 billion attacks. These included 319,989,878 blocked intrusion attempts, 791,111,239 blocked/contained malware infections, and 104,377,769 malicious emails.

The VA has invested heavily in cybersecurity defenses; however without continued investment it is only a matter of time before one of these attacks succeeds. Unfortunately, all it takes is for one cyberattack to be successful for the Protected Health Information of tens, if not hundreds of thousands of individuals to be exposed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.