A Look at the Ransomware Attacks on Healthcare Facilities in 2020-21
Hackers, always seeking illicit lucrative opportunities, exploited the COVID-19 pandemic to cause additional havoc at hospitals and other healthcare organizations across the globe. Knowing these places were already under extreme duress due to the pandemic, attackers exploited these circumstances because they knew facilities would be desperate to restore their systems ASAP. Due to this desperation, hackers bet healthcare organizations would be more likely to pay the ransom demands, rather than experiencing prolonged outages that put their patients (and businesses) at risk.
So they attacked…and attacked. Back in October, six U.S. hospitals were targeted within a span of 24 hours. Today we’ll take a look at several of the most significant ransomware events where hospitals and other healthcare facilities were victimized in 2020-21 and what information is known.
Recent Ransomware Attacks on Healthcare Facilities
Universal Health Services (UHS)
One of the worst-ever ransomware attacks on the healthcare industry occurred in September 2020 when Universal Health Services (UHS) lost its computer network. UHS has over 400 facilities located in the U.S. and Great Britain, so you can only imagine the number of people affected. Initially, the only warning was a gradual network slowdown, but then computers began to act strangely and began “shutting down” on their own, one nurse told NBC News.
- As the attack unfolded, ambulances had to be redirected, patients relocated and IT systems were taken offline.
- Staff was forced to convert to paper systems. These aren’t nearly as efficient, especially when working under emergency conditions, because they significantly slow down processes.
- UHS systems were offline for roughly three weeks, and it was determined Ryuk ransomware was the culprit.
Reportedly, UHS didn’t pay the ransom. Ultimately though, they suffered $67 million in losses due to the malware attack.
Sky Lakes Medical Center
In October 2020, the Sky Lakes Medical Center in Klamath Falls, OR, was crippled by a ransomware attack that froze patient medical records, delayed surgeries, curbed diagnostic imaging and negatively impacted the facility’s ability to offer computer-controlled cancer treatments.
What we know:
- In an announcement filed at the time, the medical center admitted its computer systems were compromised but found no evidence patient records were breached.
- A day later some operations were restored but functioning was “slower” per the facility.
- In early November, the organization announced it was replacing PCs at risk for infection and rebuilding others to create a virus-free network.
On November 7, the following statement was issued:
“While we will refuse to pay any extortion, we have cut back on some elective and outpatient services while our systems have been down,” said Paul Stewart, president and CEO of Sky Lakes. “We are also having to spend money on new equipment that we had not anticipated, such as PCs and servers, etc., as well as extra labor expense. We cannot yet quantify the total impact, but it will likely be significant. We have some business-interruption insurance but do not anticipate it covering the full impact of the ransomware attack.”
Sky Lakes Medical Center was able to restore its systems from the Ryuk ransomware attack and did not pay cybercriminals any ransom. In total, they replaced about 2,000 computers.
St. Lawrence Health System
Upstate New York-based St. Lawrence Health System announced in October 2020 that three of its hospitals (Canton-Potsdam, Massena and Gouverneur) had suffered ransomware attacks from the Ryuk ransomware variant. The attacks were detected several hours after the initial compromise, and authorities were notified. As a result of the breach, the facilities were forced to shut down their computer systems to contain the spread of the malware, and they were also forced to divert ambulances.
How they responded:
- “The Health System’s Information Systems (IS) department disconnected all systems and shut down the affected network to prevent further propagation,” the health system said in a news release, per WWNY.
- “These locations are utilizing their established backup processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”
- The healthcare organization further went on to say they analyzed the attack and “established a mitigation and remediation plan” with plans to reboot facility systems. The news release stated no patient or employee data appears to have been compromised.
Sonoma Valley Hospital
In October 2020, the California-based Sonoma Valley Hospital was also infected by ransomware. During this cybersecurity event, the thieves took tens of thousands of patient records, including personal and medical data. This event was part of a larger attack that was targeting hospitals across the U.S.
In response, Sonoma Valley Hospital quickly notified law enforcement and followed up with a letter to the affected patients. Once the breach was discovered, the facility shut down its computers.
What we know:
- During the course of its investigation, Sonoma Valley Hospital estimated roughly 67,000 patients whose insurers were billed for medical services between 2009 and later may have been compromised.
- Other patient information or patient financial information (credit cards and SSNs) were not impacted.
- The event was publicly disclosed in December 2020. According to media reports, Sonoma Valley Hospital did not pay threat actors the demanded ransom.
Rehoboth McKinley Christian Health Care
New Mexico-based Rehoboth McKinley Christian Health Care is a nonprofit hospital that serves the Navajo Nation. In February 2021, it was reported the facility was targeted by a known cybercriminal group and that they had stolen and posted sensitive employee information online. The exploited information included job applications, employee background checks and employee injury reports, along with some patient information, according to Health IT Security’s write-up of the incident.
Upon discovery, systems were reportedly taken offline, and the hospital had to revert to paper processing to keep the facility running.
What we know:
- The hospital isn’t saying much publicly, but it’s believed this was a ransomware attack and that criminals were extorting the hospital for money.
- It’s unknown whether Rehoboth McKinley Christian Health Care paid the ransom, but media reports speculate that since the hackers removed information from their website, that the facility may have met their demands. An investigation is ongoing.
Allergy Partners, an organization that operates patient care sites across the U.S., confirmed an attack was launched in February 2021 in its North Carolina facilities and lasted for eight days. Systems were taken offline.
How they responded:
- “Our IT team has been working tirelessly to restore systems safely and efficiently, and we have been servicing patients as normal at a majority of our locations since March 1st,” officials explained (courtesy Health IT Security). “If we learn patient information was involved in this incident, we will notify those patients directly.”
- Hackers reportedly demanded $1.75 million in ransom to decrypt the files stolen. Allergy Partners hired a third party to investigate the scope of the ransomware attack.
St. Margaret’s Health – Spring Valley
St. Margaret’s Health – Spring Valley was another February 2021 ransomware victim. The Illinois-based hospital was forced to shut down its systems, including patient web portals and email systems. The facility immediately contacted cyber security experts who quickly arrived at the scene. Reportedly, the hospital had a business continuity plan in place and was able to pivot and turn to paper processes.
“We have drills, and we have practiced for computer downtime,” said Lina Burt, Vice President of Quality and Community Services, according to local news. “Our computer systems periodically undergo updates that require the system to be shut down. So we just implemented all of our paper processes.” The investigation is ongoing.
In September 2020 University Hospital in Newark, NJ, fell victim to a ransomware attack that stemmed from a phishing scheme after an employee shared credentials. The attack, carried out by a group known as SunCrypt, stole and encrypted 240 GB of data, including patient information, according to Bleeping Computer.
What we know:
- To prevent the sensitive information from being published, the facility paid $670,000 in ransom (paid in 61.90 bitcoins).
- Before the ransom was paid, the cybercriminals posted an archive of 48,000 documents belonging to the NJ-based hospital, and the facility, knowing they had unencrypted data, wanted to ensure no additional sensitive information was published.
- Initially, the hackers were demanding $1.7 million in ransom, but decided to negotiate due to pandemic conditions caused by COVID-19. In exchange for the bitcoin amount, operators provided the hospital with a decryptor, all stolen data and an agreement not to share any more data or attack University Hospital again.
The list above is only a sample of the types of attacks that are victimizing healthcare facilities, many of which can put patient lives at stake and hurt hospitals in several ways. The U.S. Department of Health and Human Services reported 723 attacks (continuously updated and includes other types of attacks, along with ransomware) on medical health records in the last 24 months. Not all facilities victimized by ransomware attacks have publicly shared the details. However, what is known is that there have been hundreds of events in 2020, and some hospitals did pay the ransoms to avoid disrupting patient treatment and to prevent deaths. Unfortunately, ransomware attacks on hospitals are continuing in 2021 and by year’s end, the numbers could be far worse.
Learn More about Protecting Your Healthcare Organization from Ransomware
Healthcare facilities, along with other organizations, are highly vulnerable to ransomware attacks. Proactive preventative steps, combined with robust disaster recovery solutions, are key to averting the devastating impact of an attack.
Learn more about protecting your healthcare organization from a ransomware attack with robust data backup, business continuity and disaster recovery solutions from Datto. Request a free demo or speak to our experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.