25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

St. Francis Health System Announces Extortion Attempt

Posted By on Oct 17, 2016

St Francis Health System has announced that a hacker has gained access to a database used to store information of patients of the Warren Clinic; a division of St. Francis that provides primary care and specialty medical services to patients throughout Eastern Oklahoma.

On September 7, 2016, a hacker made contact with St. Francis Health System demanding payment in exchange for the return of data that were stolen from one of its servers. Upon receiving the ransom demand St. Francis contacted law enforcement and took steps to block access to the server. A third party security firm was contracted to conduct a thorough investigation of the security breach which revealed a database containing health data of almost 3,000 patients had been compromised.

According to the breach notice issued by St. Francis Health System only a limited amount of data was stolen by the attacker. The data were taken from a database with a clinical title; however, the database contained no highly sensitive data such as insurance information, Social Security numbers, or financial information. The breach and data theft appears to have been limited to patient names and addresses.

The healthcare industry has been extensively targeted by extortionists in in recent months. A number of healthcare organizations have been contacted by hackers who have threatened to sell or publish stolen patient health information if a ransom payment is made. While ransom demands have been paid by some healthcare providers to enable them to regain access to patient data that have been locked by ransomware, ransom demands issued by data thieves have typically not resulted in ransom demands being paid. In such cases there is no guarantee that data will not be sold or published even if a payment is made.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

After being advised by law enforcement, St. Francis took the decision not to pay the ransom. 2,938 patients have now been notified of the security incident and privacy breach. The security firm is helping to enhance security to prevent future attacks from taking place.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist