Hackers Demand $1 Million Ransom from Washington Hospital

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption.

On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee.

Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software, which allowed the attackers to infect more systems. Those systems are still down at the clinics, which are using pen and paper to record patient information.

A spokesperson for the hospital said patient care has not been affected. The hospital is continuing to provide emergency care to patients and appointments are going ahead as scheduled. There have been some delays to appointments and there are still issues accessing patient information. Patients have been told to bring details of their prescriptions and their medical histories and to make that information available at point of care.

The hospital had created backups but it was not possible to recover files as the backups had also been encrypted. As of August 13, 2019, the hospital still had not regained access to its files. The attack has been reported to the FBI and the hospital is assisting with its investigation.

The hospital had previously taken out a cybersecurity insurance policy for $1 million, which may cover the ransom payment. It is unclear whether the ransom has been paid.

No evidence of data access or theft was found, but the possibility could not be discounted. Affected patients had the following information exposed: Full name, address, phone number, date of birth, Social Security number, insurance information, diagnoses, and treatment information.

The hospital has started notifying the 85,000 patients affected by the breach and each has been offered complimentary credit monitoring services. Security measures are being assessed at the hospital and medical group and additional hardware and software solutions will be implemented as appropriate to improve security. Employees will also be provided with additional training.

Update: 08/26/19: The HHS’ Office for Civil Rights breach portal indicates 88,399 patients were affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.