Park DuValle Community Health Center has revealed that they were forced to pay hackers $70,000 to recover nearly 20,000 records that were compromised in a ransomware attack.
The Louisville, Kentucky-based health centre, which runs medical clinics for low-income and uninsured patients, suffered the attack on June 7, 2019.
Ransomware is a type of malicious software that blocks the victim from accessing their computer, or certain files on their computer until a ransom is paid to the hacker. The malware may be delivered to a computer through a phishing attack. In this instance, hackers rendered the health centre’s medical record system and appointment scheduling platform inaccessible.
As the attack rendered the system inaccessible, employees at the clinic resorted to writing down patient information for seven weeks. Furthermore, as they could not access electronic records, they have had to rely on patients’ accounts of past treatments and medications.
Employees could not schedule appointments, and the clinic had to operate on a walk-in basis.
The protected health information (PHI) of approximately 20,000 current and former patients who had previously received treatment at one of its medical centres were stored on the system. The health centre has branches in Louisville, Russell, Newburg, and Taylorsville.
Park DuValle Community Health Center experienced another cyberattack on April 2, 2019. The systems were offline for around three weeks but overall did not cause as much disruption as the June attack as IT staff were able to use backups to restore data. The health centre then reconstructed its systems from scratch to avoid paying the ransom to the hackers.
The health centre consulted with third-party IT specialists and the FBI after the latest attack. After the consultation, they decided to pay the ransom for the keys to decrypt files. Park DuValle CEO Elizabeth Ann Hagan-Grigsby explained to WDRB reporters that it was not possible to rebuild its systems and recover data from backups after the latest attack.
The ransom was paid in two instalments, the first was made two weeks ago, and the final payment was made last week. The latest payment was for 6 Bitcoin. Approximately $70,000 was paid in total. The health centre expects to have fully restored its systems by August 1, 2019.
Hagan-Grigsby said the attack has so far cost Park DuValle Community Health Center around $1 million. Approximately $130,000 has already been spent on boosting their cybersecurity framework.
Hagan-Grigs does not believe that the hackers accessed any patient files, and therefore believes the incident does not constitute a data breach. She said the Department of Health and Human Services had been notified was informed that data was not compromised. Investigators did not find evidence to suggest unencrypted patient information was viewed, and its firewall logs show no data was exfiltrated from its systems.
The Park DuValle ransomware is one of several healthcare ransomware attacks to be reported in the past few days. Ransomware attacks have also recently been reported by Springhill Medical Center in Alabama, Harbor Community Hospital in Washington, and Dr Carl Bilancione’s dental office in Maitland, Florida.