Clinics Serving Uninsured Hit by RansomwareOrganization Refuses to Pay Ransom, Struggles to Bounce Back
A ransomware attack on the operator of non-profit clinics that serve the uninsured in St. Louis led to the breach of information on 152,000 patients, clinicians and employees. The organization says it did not pay a ransom, and IT experts have not been able to unlock the data encrypted by hackers in the September attack.
The incident is yet another reminder that ransomware attacks can affect organizations of all types and sizes.
"Less sophisticated attacks are more random, and it's unlikely the attackers consider the victim's ability or inclination to pay," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. "As long as some attacks succeed and result in payment, the attacker achieves his goal."
In a statement issued Oct. 25, Betty Jean Kerr People's Health Centers, which operates three clinics in St. Louis, says that on Sept. 3, it discovered a cyberattack from an "unknown foreign actor" that encrypted some of its data, making the information inaccessible.
"The foreign actor demanded that People's pay a ransom to unlock the data. ... Patient data, provider data and employee data were involved in this incident, however, patient medical records were not involved," the statement says.
"After discovery of the breach, we took immediate action to secure our information, and we engaged a forensic information technology firm to assist us. We also notified law enforcement," the statement says. "We have not paid the ransom, and even with the help of the IT firm, we have not been able to unlock the data. "
A spokesman for the health center tells Information Security Media Group that the organization's cloud-based electronic health records system was not impacted by the attack. The IT firm working with the health center is helping the organization resume operations, he says.
"We've resorted back to using paper and are in the process of rebuilding some systems all over again," he says.
The clinic declined to disclose how much of a ransom the attacker demanded, whether the organization has cyber insurance, and whether it has backups to help in the rebuild of impacted data.
"We're a federally qualified health center that runs on government grants," he says. "Why would anyone want to attack a health center?"
Patient Information from 2011 through Sept. 2, 2019, potentially exposed in the attack includes names, dates of birth, addresses, Social Security numbers, limited clinical data, pharmacy data, insurance information and dental X-rays.
Information about healthcare providers who sought to be credentialed by People's from 2010 through Sept. 2, 2019, also may have been exposed. That includes providers' names, addresses and Social Security numbers. Similar information on employees from 2012 through Sept. 2, 2019, may also have been exposed.
Small Entities, Big Impact
Ransomware attacks on smaller healthcare organizations can have a devastating impact (see Latest U.S. Ransomware Attacks Have Harsh Impact).
In addition to disrupting the ability to deliver patient care for days or weeks, some entities have struggled to rebound at all from ransomware attacks on their systems.
For instance, in September, Wood Ranch Medical, a small family health clinic in Simi Valley, Calif., announced it plans to close in December because it cannot recover access to any of its records as a result of a recent ransomware attack.
"Hackers will mostly take the path of least resistance. Many times that is the smaller or non-profit organization with limited resources," says Cathie Brown, vice president of professional services at security risk management consulting firm Clearwater. Hackers may also target a smaller organization as a test of their attack, she notes. "Overall, the healthcare sector is not as mature in cybersecurity practices, which makes it more vulnerable."
Backups that have been untouched by the attacker are the key to recovery from ransomware when the organization doesn't pay a ransom, Borten notes. "Some electronic data could possibly be reconstructed from paper documents, but fewer and fewer healthcare providers use paper anymore," she says.
Steps to Take
Even smaller entities with slimmer security resources can take steps to prevent the most devastating consequences of ransomware and other cyberattacks, Borten notes.
"Backup, backup, backup. Performing routine backups and storing them off the vulnerable network is typically not a significant burden in terms of cost or resources," she says.
Encryption is one of the strongest tools entities have to protect data, Brown notes. "Unfortunately, the attackers are using the strength of encryption because it works and it's almost impossible to break," she says. "Backups are critical in recovering from an incident like this. However, simply having backups is not enough. It is also very important to test backups to ensure the process is working and systems can be recovered."
All healthcare organizations need to develop more mature cybersecurity hygiene to protect patient data, Brown says. "Ultimately, our defenses must be better, regardless of the motivation or sector of the attack."
Clyde Hewitt, executive adviser at security consulting firm CynergisTek, says that in addition to cybercriminals targeting healthcare provider organizations with ransomware attacks, "we have seen an increased focus on supply chain partners as healthcare providers lack the resources to perform extensive due diligence.
"Boards of directors need to clearly understand their fiduciary obligations to protect their organization from this significant threat and take realistic steps to address this risk before the disaster strikes. This starts with a comprehensive risk assessment followed by a prioritized risk mitigation plan."