Ransomware Attacks Are Costing Healthcare Even With Appropriate Measures

F.J. Thomas

Sarasota, FL (WorkersCompensation.com) – Most businesses know that data breaches are usually pretty costly due to the time involved in investigation, and perhaps in data lost. However, they can also be costly in other ways.

Just last month, criminal ransomeware group Netwalker hacked into the medical department of the University of California San Francisco (UCSF) and hijacked its computer systems encrypting the data so that it was not accessible by any means. Netwalker initially demanded $3 million in ransom to unlock the data, but ultimately accepted $1.14 million via a live internet chat that is available on its somewhat normal looking website. Instructions on how to get to the website are often provided on error messages to pop up on the disabled computer systems. Once there, the website looks like most business sites with FAQs, and customer service features including the chat. The website also contains a theatrical ticker countdown – when time is up, Netwalker either deletes the data, infects the data with malware, or doubles the price of the ransom.

In a class action lawsuit that alleges violation of the Washington State Uniform Healthcare Information Act, the Washington State Consumer Protection Act, Washington State Constitution’s right to privacy, negligence, invasion of privacy, violation of and breach of contract, Grays Harbor County hospital system has a offered a potential settlement, although it has denied wrongdoing. The $185,000 proposed settlement is the result of a 2019 ransomware attack that impacted 88,000 patients and resulted in two months of downtime. The attack happened when an employee clicked on an email link that initiated the ransomware. The series of following events was a perfect storm.

At first the hospital system’s IT department handled the incident, turning off servers to limit the spread of the malware. Since the incident happened on a weekend with limited staff, the malware had time to spread even though traditional anti-virus and backup programs were already in place.

The hospital itself operated on an older software that prohibited the ransomware from fully installing. However, the clinics were hit harder, and payments could not be processed for 5 days. Already in financial dire straits from the inability to process payments for a week, the hospital system then received a demand from the hackers for $1 million to unlock the data.

Although much of the data was salvaged, not all data was recovered. In the aftermath, patients soon filed lawsuits citing recovery of costs due to the breach and alleging negligence.

Grays Harbor hospital system has already invested $300,000 to improve the integrity and security of its virtual network, and have plans to invest another $60,000 over the next 3 years.

For this month alone, there have been 40 data breaches reported to HHS for investigation. Over half of the breaches reported were initiated by email. The total number of people impacted by those data breaches is 689,253.

News brought to you by WorkersCompensation.com