February 18, 2016//Ellen NeveuxLast Updated: May 30, 2018
Ransomware forced payment in two separate cases this month alone
Hollywood Presbyterian Medical Center has paid approximately $17,000 via 40 bitcoins, a virtual currency, as ransom to the hacker who took control of the hospital’s computer systems and refused to give it back until he received the money, said Allen Stefanek, the hospital’s CEO, in a statement.
The ransomware attack on the 434-bed Los Angeles, California-based facility occurred on February 5, when staff began having trouble accessing the hospital’s computer network, Stefanek said. The ransomware had locked the system by encrypting files and demanding ransom for access to the decryption key. Ransomware is a type of malicious software that blocks access to a computer system until a sum of money is paid.
An initial investigation by the hospital’s IT department concluded that it had been hit by malware attack. After notifying law enforcement, the hospital’s computer experts helped the hospital determine the source of the hack. The hacker demanded 40 or about $17,000 to release the files, he said, adding that previous reports indicating the attacker demanded $3.6 million, or 9,000 bitcoin were false, he said.
However, the hospital decided that the fastest and most efficient way to restore its systems and administrative functions was to pay the ransom to the hacker to obtain the decryption key. “In the best interest of restoring normal operations, we did this,” Stefanek said, noting that access to the hospital’s electronic medical record system had been restored by Monday, February 15.
Stefanek said that the hospital’s ability to deliver quality care to its patient care was never compromised. “Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access,” he said. “All clinical operations are utilizing the EMR system,” Stefanek said All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event.”
Since 2010, at least 158 institutions have reported being hacked
An FBI spokeswoman told the Los Angeles Times that the FBI is now in charge of the investigation, but declined to offer specific details. However, an unidentified law enforcement source told the Times the hospital paid the ransom before contacting law enforcement. Federal law requires that hospitals report possible medical data breaches involving more than 500 people. Since 2010, at least 158 institutions – including healthcare providers insurance companies and hospitals – have reported they have been hacked or had information technology issues that have compromised patient records, the Times noted.
An FBI report issued last year indicated that the use of ransomware by criminals was on the rise. In addition, the FBI said more criminals were requiring victims to pay their ransom demands with bitcoins. Indeed, officials of the Horry County school system in Conway, South Carolina, have approved an $8,500 ransom in bitcoins to unlock servers hit by ransomware on February 8.
Administrators reached out to the FBI, but said they were “willing to pay the ransom because it’s a small amount compared to the man hours already lost trying to solve the problem.” Officials said that while they can’t guarantee the school system won’t fall victim to a similar attack in the future, it would be highly unlikely. Although the school system said it couldn’t determine where the attack came from, officials said the breach most likely occurred in an older server running software with out out-of-date applications.
Read this customer story to see how you can take control of vendor access.