A Ransomware Victim Shares His StoryPresident of Healthcare Organization Describes the Aftermath and the Lessons Learned
More and more healthcare organizations are getting targeted with ransomware attacks. What's it like to deal with the consequences?
Jack Malone, president and executive director of the Southeastern Council on Alcoholism and Drug Dependence, Inc., shared with me some insights on the many headaches involved in the aftermath of such an incident - and important lessons to learn.
"We had security in place, but the door got slightly open for a tiny period of time, and these attackers found a way in. They're always looking for a way in."
The attack against the Lebanon, Connecticut-based not-for-profit provider of inpatient, outpatient and residential treatment for substance abuse disrupted operations for only a few days. But it led to weeks of challenges, including difficulties in notifying former patients whose information may have been exposed.
SCADD discovered on Feb. 18 that it was a victim of ransomware. Malone suspects the attackers got into the organization's network right before that when SCADD "opened a portal to a server" to allow federal auditors to conduct a required financial audit. "That audit took two days, and the attacker probably snuck in then," he says.
SCADD hired a third-party firm to help it recover from the ransomware attack without paying the $1,800 ransom demanded by the extortionists to provide a decryption key. "They didn't ask for $10 million. The [attackers] were probably trying to cash in wherever someone is willing to pay a smaller amount," he says.
The recovery effort for dealing with what Malone describes as "run of the mill" ransomware took about a week using back-ups, he says. During that time, certain clinical functions couldn't take place, despite the entity's current cloud-based electronic health record system not being impacted by the attack, he says.
The bulk of patient records potentially compromised in the attack were part of about seven years' worth of information that SCADD has to hold onto for regulatory purposes, he says. That includes digitized patient records created before the entity's move to a cloud-based EHR last year.
SCADD is notifying an estimated 25,000 individuals whose information, including name, address and Social Security number - as well as medical history and treatment information - was potentially exposed to the attackers.
"Many of these people are indigents - 95 percent of them are the sickest and the poorest people in eastern Connecticut," Malone says. Reaching many of these individuals is difficult, he explains, because their only known address might be the last substance treatment facility - such as a half-way house - where they stayed, perhaps years ago.
"Their Social Security numbers are not valuable," Malone says, speculating that if fraudsters attempted to use them to, for example, create an identity to use to open a credit account, they'd likely be turned down due to poor credit history.
Still, government regulations require that SCADD make the effort to notify each impacted individual.
"That's 55 cents a pop [for postage of each letter], and a high percentage of these people will never receive the letter," he says. A law firm SCADD hired advised Malone that its news release about the ransomware attack should legally suffice for those individuals SCADD can't directly reach.
Thankfully, SCADD has cyber insurance, which will cover the costs associated with the attack, Malone says. Those expenses could run as high as $100,000, he estimates. "That's a door-closing event," he says of the cost - if the organization had to pay it on its own. "We're a small, community-based non-profit," he notes.
In addition to confirming the value of cyber insurance, what's the other big lesson learned from this attack?
"Lock your 'doors.' We had security in place, but the door got slightly open for a tiny period of time, and these attackers found a way in. They're always looking for a way in," he says.
The recently issued 2019 Verizon Breach Investigations Report says that for the second straight year, ransomware attacks accounted for over 70 percent of all malware incidents in the healthcare sector.
Malone's tale of the headaches and expenses that come after a ransomware attack offers an important reminder that healthcare organizations should investigate cyber insurance, have a breach notification plan in place and make continual efforts to keep the bad guys out.