HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Urology Practice Pays $75,000 Ransom to Regain Access to Computer Systems

Boardman, OH-based N.E.O Urology has experienced a severe ransomware attack that has impacted its entire IT system. The ransomware caused widespread file encryption and locked the healthcare provider out of its computers and patient records.

While the attack was sophisticated, the notification was not. The healthcare provider was sent a fax from the attackers demanding a $75,000 ransom payment for the keys to unlock the encryption.

N.E.O Urology contacted its IT service provider and after assessing options and the risks, the decision was taken to pay the ransom. The IT service provider made contact with the attackers through a third party and the ransom was paid to obtain the keys to unlock the encryption.

Even with the decryption keys it took the medical practice three days to restore its computer systems due to the extent of file encryption. The breach investigation uncovered evidence to suggest the attackers were based in Russia.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Payment of a ransom is not without risk. The attackers may not be able to unlock files or may choose not to do so even after the ransom is paid. The FBI advice is never to pay the ransom. Paying a ransom is risky and it encourages further attacks.

However, in cases where data cannot be recovered by other means, there may be little choice and a ransom may need to be paid. N.E.O Urology informed the police department that it was suffering losses between $30,000 and $50,000 per day as a result of the inability to use its computer system.

Ransomware attacks declined throughout 2018, but in Q1, 2019 there was a significant uptick in attacks. Ransomware attacks increased by 195% in 2019 according to Malwarebytes, and more than 70% of attacks were on small businesses. Healthcare organizations are an attractive target due to their need to have constant access to databases and patient records.

The inability to restore files from backups and refusal to pay a ransom can have severe consequences. Earlier this year, Brookside ENT and Hearing Center suffered a ransomware attack that encrypted patient records. After refusing to pay the ransom, the attackers deleted all the encrypted files. Faced with having to rebuild the practice from scratch, the owners chose early retirement and closed the practice.

In May, Talley Medical Surgical Eyecare Associates PC experienced a ransomware attack that rendered its files inaccessible. The breach affected 106,000 individuals. It is not known whether the ransom was paid or if files were recovered from backups. A month previously, Doctors Management Services experienced a ransomware attack that affected nearly 200,000 individuals.

To ensure you are not left at the mercy of cybercriminals, it is essential to adopt a robust backup strategy that sees multiple backup copies created, with one copy stored off-site in a secure location on a non-networked device.

There is some inconsistency between recent reports on the number of healthcare ransomware attacks and the number that have been reported to the HHS’ Office for Civil Rights. That suggests some healthcare organizations are not reporting attacks.

Following a ransomware attack, a risk analysis should be conducted to determine the likelihood of an ePHI compromise and whether the breach is a reportable incident. OCR has previously issued guidance on ransomware attacks to help covered entities determine whether an attack is a reportable breach.

OCR stated that most ransomware attacks are reportable breaches under HIPAA. Breaches may also need to be reported to state attorneys general, and affected individuals will need to be sent breach notification letters within 60 days.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.