Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible.

The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis.

The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville.

This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took its computer systems out of action. In that case, backups were used to restore data and its systems were rebuilt from scratch. The health center was able to recover data without paying a ransom, although its systems were offline for around three weeks while the attack was remediated.

The health center consulted with third-party IT specialists and the FBI after the latest attack and the decision was taken to pay the ransom for the keys to decrypt files. Park DuValle CEO Elizabeth Ann Hagan-Grigsby explained to WDRB reporters that it was not possible to rebuild its systems and recover data from backups after the latest attack.

The ransom was paid in two installments, the first was made two weeks ago and the final payment was made last week. The latest payment was for 6 Bitcoin. Approximately $70,000 was paid in total. The health center expects to have fully restored its systems by August 1, 2019.

The ransom payment is only a small part of the cost of a ransomware attack. Hagan-Grigsby said the attack has so far cost around $1 million.

While the ransomware prevented files from being accessed, Hagan-Grigsby does not believe there has been a data breach. She said the Department of Health and Human Services has been notified but was told there was no data breach. no evidence was found to suggest unencrypted patient information was viewed and its firewall logs show no data was exfiltrated from its systems.

The Park DuValle ransomware is one of several healthcare ransomware attacks to be reported in the past few days. Ransomware attacks have also recently been reported by Springhill Medical Center in Alabama, Harbor Community Hospital in Washington, and Dr. Carl Bilancione’s dental office in Maitland, Florida.

An attack was also reported by Bayamón Medical Center in Puerto Rico, which also affected its affiliated Puerto Rico Women and Children’s Hospital. The attack impacted more than 520,000 patients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.