Mental Healthcare Providers Respond to Ransomware AttacksTwo Entities Hit - One Pays Ransom; the Other Doesn't
Two recent ransomware attacks on mental healthcare providers are reminders of the security incident response and risk mitigation pressure faced by entities handling especially sensitive patient information.
In the two recent ransomware incidents, one of the targets - Delaware Guidance Services for Children and Youth - paid a ransom to unlock its patient records, and the other - Green Ridge Behavioral Health in Maryland - recovered without paying the extortionists.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing major health data breaches shows that on Feb. 22, Delaware Guidance Services for Children and Youth reported the hacking incident affecting 50,000 individuals and involving electronic health records, email and laptop and desktop computers.
The Wilmington, Delaware-based organization says on its website that it's the largest not-for-profit provider of comprehensive psychiatric services for children and their families in Delaware with a staff of 200, a budget of $12 million and five locations statewide.
In a notification statement on its website, the Delaware organization notes that on Dec. 25, 2018, it was the victim of a ransomware attack on its data servers that encrypted records so that they could not be opened.
Records containing patient's personal information, such as name, address, birth date, Social Security number, and medical information, are stored on the affected servers, the organization notes.
"To secure release of the records, DGS was required to pay a ransom, in exchange for a decryption key that unlocked the records," the notification statement says.
DGS says it hired an information technology firm to review its systems and conduct a forensic analysis to help determine whether any of its records have been improperly accessed or used by an unauthorized individual.
"While there is no indication that data has been compromised, we nonetheless thought it prudent to advise you of this situation, as we are keenly aware of how important your personal information is to you. We also have notified law enforcement authorities of the incident," DGS says.
DGS did not immediately respond to an Information Security Media Group request for additional information about the incident.
No Ransom Payment
Another mental healthcare provider that was also a victim of a recent ransomware attack chose not to pay a ransom.
Green Ridge Behavioral Health reported to HHS on Feb. 11 a hacking incident affecting 14,000 individuals that involved EHRs and a network server.
Green Ridge Behavioral Health's office manager tells ISMG that the hacking incident involved a ransomware attack on Feb. 8, and that the organization was able to recover its data using back-ups, avoiding paying a ransom.
The Gaithersburg, MD-based organization has three locations in the state and provides mental healthcare services and substance abuse treatment.
As of March 15, the entity had not yet sent notification letters to affected individuals, in part because Green Ridge is still assessing the incident, the office manager tells ISMG. Notification letters will begin being sent the week of March 18, she says.
A number of other healthcare organizations have revealed they paid a ransom to recover from a ransomware attack.
"Privacy may be more ingrained in the individuals providing mental health services than in other healthcare fields. But that doesn't necessarily translate into better security."
—Kate Borten, The Marblehead Group
For instance, last May, Rochester, Minnesota-based Associates in Psychiatry & Psychology said it decided to pay an undisclosed ransom after determining it would take longer and potentially be more difficult to attempt to restore its systems without obtaining a decryption key from the hackers.
That attack is listed on the HHS' Office for Civil Rights' HIPAA breach reporting website as a hacking incident impacting more than 6,500 individuals.
Privacy attorney Iliana Peters of the law firm Polsinelli says recovery from ransomware attacks can prove difficult, especially if organizations do not have sufficient data backup policies and procedures.
"Entities must respond quickly, including considering whether to pay a ransom, just to get their businesses up and running again," she notes. "For healthcare providers, this is particularly important, given the patient safety issues involved with a lack of access to their patients' data."
When the WannaCry ransomware attack hit the public health system in the U.K., hospitals had to turn people away, she notes, "because they couldn't treat them without access to any of their systems or applications that were affected."
Peters says it's "absolutely critical" that U.S. organizations have robust backup methods for their information, as is required by the HIPAA Security Rule.
Mental healthcare providers also are often subject to privacy regulations that are more stringent than HIPAA, says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
That includes CFR 42 Part 2 - or the Confidentiality of Substance Use Disorder Patient Records - that generally requires federally assisted substance abuse treatment programs to take extra steps to protect individuals' privacy.
"Privacy may be more ingrained in the individuals providing mental health services than in other healthcare fields. But that doesn't necessarily translate into better security," Borten says.
"The maturity of an organization's security program may be associated more with size and resources than the type of healthcare provided. Of course, there are outliers. A small or midsize organization can have a strong security program attributable to one senior leader who recognizes and believes in the need for it."