Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued

As last week’s Kansas Heart Hospital ransomware attack clearly demonstrates, paying a ransom may not necessarily result in decryption keys being supplied by attackers to allow files to be unlocked.

Ransomware Claims Another Healthcare Victim

This year a number of healthcare organizations have had vital data locked by malicious file-encrypting software. In February, Hollywood Presbyterian Medical Center felt there was little alternative but to pay a ransom to attackers to obtain decryption keys to unlock files that had been locked with ransomware. The attackers issued a Bitcoin ransom demand of approximately $17,000. Upon paying the ransom, the medical center was provided with a security key for each of the devices that had been infected.

Other healthcare providers have also been attacked this year. MedStar Health was reportedly issued a 45 Bitcoin ($19,000) ransom demand, although the ransom was not paid, instead files were recovered from backups. Other attacked healthcare providers were also able to avoid paying a ransom and recovered their locked files by restoring their systems from backups.

Kansas Heart Hospital Ransomware Attack

On Wednesday last week, another healthcare provider – Kansas Heart Hospital – reported that it too had been attacked and had critical files locked by ransomware. Kansas Heart Hospital chose to pay the ransom demand to recover its data quickly, deeming it to be easier than attempting to restore data from backups.

However, Kansas Heart Hospital discovered that paying a ransom does not necessarily result in viable decryption keys being provided. Rather than supplying the keys to unlock the data as promised, the attackers decided to try to extort more money from the hospital and a second ransom demand was issued. The amount paid by the hospital was not disclosed, although it is understood to have been small. The second demand allegedly was not.

Kansas Heart Hospital did have a ransomware emergency plan in place which was triggered following the attack, although not before the infection had spread. According to hospital president Dr. Greg Duick, “It became widespread throughout the institution.”

Duick told KWCH reporters that after the payment of the ransom and receipt of a second demand, “the policy of the Kansas Heart Hospital in conjunction with our consultants, felt no longer was this a wise maneuver or strategy.” The hospital is currently in the process of restoring files from backups.

Duick explained that at no point was access to patient health information gained by the attackers and medical treatment could continue to be provided to patients, although the attack did cause the hospital problems.

OCR to Issue Guidance to Covered Entities on Ransomware Attacks

The deputy director of Information Technology of the Office for Civil Rights recently said OCR will soon be issuing guidance to covered entities concerning ransomware infections. The guidance will help to clear up confusion over whether ransomware infections count as data breaches and if they are reportable under HIPAA Rules.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.