Indiana Health System Pays $55K Ransom to Recover Files

Share this article on:

A ransomware attack on Greenfield, Indiana-based Hancock Health on Thursday forced staff at the hospital to switch to pen and paper to record patient health information, while IT staff attempted to block the attack and regain access to encrypted files.

The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack.

An attack such as this has potential to cause major disruption to patient services, although Hancock Health said patient services were unaffected and appointments and operations continued as normal.

An analysis of the attack uncovered no evidence to suggest any patient health information was stolen by the attacker(s). The purpose of the attack was solely to cause disruption and lock files to force the hospital to pay a ransom to recover its files.

According to a report in the Greenfield Reporter, the attack involved a variant of ransomware called SamSam. The ransomware variant has been used in numerous attacks on healthcare organizations in the United States over the past 12 months. The unknown attacker(s) demanded a payment of 4 Bitcoin to supply the keys to unlock the encryption.

As required by HIPAA, Hancock Health had performed backups and no data would have been lost as a result of the attack; however, the process of recovering files from backups takes a considerable amount of time. The hospital would not have had access to files and information systems for several days – potentially even weeks – if backups were used to recover data. On Saturday, the decision was taken to pay the ransom.

The decision to pay the ransom was not taken lightly. While patient services were not affected, restoring files from backups would almost certainly have impacted patients and paying the ransom was seen to be the best option to avoid disruption. The keys to unlock the encryption were supplied within two hours of the ransom being paid and the network was brought back online on Sunday.

Typically, these attacks occur as a result of employees responding to phishing emails or visiting malicious websites, although Hancock Health says this attack was not caused by an employee responding to a phishing email.

The attack was sophisticated. “This was not a 15-year-old kid sitting in his mother’s basement,” said Hancock Health CEO Steve Long.

Hancock Health has now implemented software that can detect atypical network activity indicative of an intrusion or ransomware attack, which will allow rapid action to be taken to block, and limit the severity, of any further attacks. Hancock Health is continuing to work with national law enforcement to learn more about the incident.

Author: HIPAA Journal

Share This Post On