HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records

Virtual Care Provider Inc. (VCP), a Wisconsin-based provider of internet and email services, data storage, cybersecurity, and other IT services, has experienced a ransomware attack that has resulted in the encryption of medical records and other data the firm hosts for its clients. Its clients include 110 nursing home operators and acute care facilities throughout the United States. Those entities have been prevented from accessing critical patient data, including medical records. The company provides support for 80,000 computers, in around 2,400 facilities in 45 states.

The attack involved Ryuk ransomware, a ransomware strain that has been used to attack many healthcare organizations and managed IT service providers in the United States in recent months. The ransomware is typically deployed as a secondary payload following an initial Trojan download. The attacks often involve extensive encryption and cause major disruption and huge ransom demands are often issued. This attack is no different. A ransom demand of $14 million has reportedly been issued, which the company has said it cannot afford to pay.

According to Brian Krebs of KrebsonSecurity, who spoke to VCP owner and CEO Karen Christianson, the attack has affected virtually all of the company’s core offerings, including internet access, email, stored patient records, clients’ phone systems, billing, as well as the VCP payroll system.

The attack has meant acute care facilities and nursing homes cannot view or update patient records and order essential drugs to ensure they are delivered in time. Several small facilities are unable to bill for Medicaid, which will force them to close their doors if systems are not restored before December 5th in time for claims to be submitted. VCP has prioritized restoring its Citrix-based virtual private networking platform to allow clients to access patients’ medical records.

The attack commenced on November 17, 2019 and VCP is still struggling to restore access to client data and cannot process payroll for almost 150 employees. Christianson is concerned that the attack could potentially result in the untimely demise of some patients and may force her to permanently close her business.

KrebsonSecurity reports that the initial attack may date back to September 2018 and likely started with a TrickBot or Emotet infection, with Ryuk deployed as a secondary payload.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.