Skip to main content

Case briefs — Ransomware

Published Date
Author Laura Hale Brockway

In a ransomware attack, cyber criminals use software (ransomware) to take control of and encrypt the health care or billing data on your network. The criminals then threaten to destroy the data unless a ransom is paid.

Ransomware incidents often lead to investigations for alleged violations of HIPAA privacy and security rules. The following case briefs describe how actions by physicians or their employees led to these allegations, and how risk management techniques may have prevented the violations.

Case 1

A practice manager for a small group opened an email attachment and immediately noticed that she could no longer open any files on her computer. She received a pop-up alert with a ransom demand. IT staff investigated and found that because several months had passed since the last system back up, their patient data was irretrievable. The group reluctantly paid the ransom.

Three weeks later, the employee received another ransomware notice. Again it was decided to pay the ransom, which had doubled. Prompted by the second attack, the group revised its process to make sure current back ups would always be available. They also added more layers of cyber security and trained staff on how to avoid phishing emails.

Traditional IT security includes firewalls and antivirus software, but these tools may no longer provide enough protection. Learn about data protection and privacy issues and teach staff about what to avoid.
 

Case 2

A medium-sized medical practice was unable to access their legacy practice management system. When IT was called, they found a ransom demand on the server. IT staff took down the network to prevent the spread of the ransomware. A new server was restored from backup. Within two days, the practice was functioning normally.

Conducting frequent backups and ensuring the ability to recover data is crucial to recovering from a ransomware attack. Restorations should be tested regularly.

 

Case 3

A physician’s staff returned from lunch to find their network encrypted, along with a ransom demand. Patients’ protected health information had been breached, and 30,000 patients were notified. Before this incident, the physician believed that his practice was too small to be hacked, insisting “who would want my data?” The practice has now invested heavily in new IT, cyber risk management, and cyber security services.

Physicians and employees are the greatest vulnerability when it comes to ransomware attacks. Simply clicking on a link, opening an attachment or using weak or infrequently changed passwords can be the beginning of a long and costly process.
 

Case 4

A pediatric clinic fell victim to a ransomware attack, in which more than 100 computers were affected. The computers contained confidential patient information, which may have been compromised during the breach.

The clinic did not pay the ransom and instead focused efforts on reconfiguring the affected computers and restoring the lost data from a backup. However, the clinic soon discovered that back ups had never been properly executed or stored.

An attorney determined that the incident was a breach under HIPAA Rules, requiring notification to all patients of the clinic because it could not be determined exactly how many patient records were compromised by the breach.
 

Case 5

A medical practice’s network was breached by an email phishing scheme, when an unsuspecting office manager opened an email attachment that contained the “Crypto-Locker” virus. The malware virus encrypted patient files stored on the practice’s servers, and the perpetrator threatened to delete all files unless a ransom was paid.

The incident was reported to the cyber liability insurance carrier. An IT forensics specialist determined the threat to be credible and recommended that the ransom be paid so that further exposure and/or loss resulting from the incident could be assessed.

The ransom, IT forensic costs, and legal expenses were covered by the practice’s cyber liability insurance policy.