Grays Harbor Community Hospital in Washington is notifying 88,399 patients that their confidential health information may have been compromised in a ransomware attack.
The hospital and its associated clinics, based in Aberdeen, WA, is still dealing with the consequences of the attack months after the fact. The attackers have demanded $1 million for the keys to unlock the encryption.
On June 15, 2019, Grays Harbor Community Hospital noticed some suspicious activity on its network and started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network.
However, these efforts were too late, and the attackers had already gained access to servers and the systems used by Harbor Medical Group clinics.
It is suspected that the ransomware was installed on the system after an employee responded to a phishing attack sent by the hackers.
Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. However, the clinics used more recent software, which allowed the attackers to infect more systems. Those systems are still down at the clinics, which have been forced to use use pen and paper to record patient information.
A spokesperson for the hospital said patient care has not been affected. The hospital is continuing to provide emergency care to patients and appointments are going ahead as scheduled. However, there are still issues accessing patient information and some appointments have been delayed.
Patients have been told to bring details of their prescriptions and their medical histories and to make that information available at point of care.
The hospital had created backups but it was not possible to recover files as the backups had also been encrypted. As of August 13, 2019, the hospital still had not regained access to its files.
The attack has been reported to the FBI and the hospital is assisting with its investigation.
The hospital had previously taken out a cybersecurity insurance policy for $1 million, which may cover the ransom payment. At this point it is unsure whether the ransom has been paid to the attackers.
No evidence of data access or theft was found, but the possibility could not be discounted. The affected servers housed patient names, addresses, phone numbers, dates of birth, Social Security numbers, insurance informations, diagnoses, and treatment information.
The hospital has started notifying the 85,000 patients affected by the breach and each has been offered complimentary credit monitoring services.
Security measures are being assessed at the hospital and medical group and additional hardware and software solutions will be implemented as appropriate to improve security. The hospital is also implementing an employee training schedule to mitigate the risk of an employee responding to phishing emails in the future.