Share this article on:
NRC Health, a provider of patient survey services and software to more than 9,000 healthcare organizations, including 75% of the largest hospital systems in the United States and Canada, experienced a ransomware attack on February 11, 2020 that affected some of its computer systems.
NRC Health immediately took steps to limit the harm caused and shut down its entire environment, including its client-facing portals. A leading computer forensic investigation firm was engaged to determine the nature and extent of the attack and the incident has been reported to the Federal Bureau of Investigation.
According to the NRC Health website, the data of more than 25 million healthcare consumers in the United States and Canada is collected by NRC Health every year. Patient surveys conducted by NRC Health on behalf of its clients allow them to prove that patients are satisfied with the services they have received. That information is important for helping to improve patient care and also for determining how much Medicare reimbursement healthcare providers receive under the Affordable Care Act. Healthcare clients also used patient satisfaction scores to determine how much executives and physicians get paid.
NRC Health said significant progress has been made restoring its systems and services to customers and a full recovery is expected in the next few days. Notifications have been sent to its healthcare clients informing them about the attack and updates are being provided to clients on a daily basis until the incident is fully resolved. In the notifications NRC Health said the initial findings of the investigation suggest no patient data or sensitive client information has been compromised.
Ransomware attacks on healthcare organizations have increased over the past year, after a fall in attacks in 2018. Several threat groups have taken to stealing patient data prior to the deployment of ransomware to encourage victims to pay the ransom demands. According to a recent analysis by Comparitech, there have been 172 healthcare ransomware attacks since 2016. Those attacks have cost the healthcare industry at least $157 million.
Correction: This article has been updated since publication to correct a factual error. The article incorrectly stated 63,581 patients had been affected.