Hackers hijacked medical files of a Michigan practice, demanding a ransom of $6,500 for the decryption key. The doctors saw two options: pay up or shut down.
Art Gross with HIPAA disclosed the recent ransomware lockdown: A doctor’s office in Battle Creek, Michigan is closing its doors following a ransomware attack that left them with no other option – besides pay up.
The Demand and the Decision
Dr. William Scalf told a local news outlet, WWMT West Michigan, that hackers locked the files at Brookside ENT and Hearing Center, demanding $6,500 for the decryption key to regain access to their files.
A decision was made between Scalf and his partner, Dr. John Bizon to not pay the ransom. Despite hackers having full control over the practice’s computer system, there was no guarantee that the files would be restored if the ransom was paid, or that the hackers would not request additional funds following the receipt of the initial request.
Failure to pay the ransom resulted in the cybercriminals completely wiping out the practice’s computer system, including all their patient records, appointment schedules, and payment information.
According to Bizon, the practice’s electronic health record system’s files were encrypted, therefore no patient data was accessed by the hacker. Bizon also stated that no files were copied or shared prior to them being deleted.
Rather than rebuild the practice, the doctor’s have decided to call it quits and take early retirement. Unfortunately for the patients of Brookside ENT and Hearing Center, their next steps won’t be quite as easy as calling it quits. Since all patient data was deleted in the attack, patients will need to start all over at another medical center with no medical records, including conditions or prior treatments.
The FBI is currently investigating the hack, and the practice is set to officially close its doors on April 30.
A Lesson to Learn
There is a lot that can be learned from this ransomware attack. Ransomware continues to exploit the healthcare sector, with recent research by Beazley finding the industry to be the most targeted. In addition, the research found that small businesses faced 71% of ransomware attacks last year.
Do not make the mistake of thinking your organization is too small to be targeted by a cybercriminal, or that the data you possess isn’t worth anything. Medical records are a gold-mine for cybercriminals who rake in big profits by stealing them and selling them on the Dark Web.
Furthermore, every organization should have proper backups that are separate from the network. Having a separate copy of all your data and ensuring that the data is off the network will protect your organization from losing everything if a cybercriminal were to hack and wipe your system.
Having backups will not only help you recover your patient files if needed but will also protect the patient by ensuring they have access to their medical records in all situations. If you have no backups and lose your patient records, the loss and damage to the patient could be considered willful neglect under HIPAA.
Lastly, just because Scalf and Bizon chose to retire rather than rebuild their practice does not mean they’re off the hook. A ransomware attack is considered a reportable breach under HIPAA, and the damage patients are facing as a result of this breach may prove to bring hefty fines and penalties for the practice despite its closure.
As ransomware, phishing, and various other cyber-attacks continue to dominate the healthcare industry, the need for a robust cybersecurity and HIPAA compliance solution is undeniable.
Gross, Art. (2019, April 9). Ransomware Attack Shuts Down Michigan Practice – Deletes All Patient Files. HIPAA.