$55k Ransom Paid by Indiana Health Organization to Retrieve Files

by Ryan Coyne | Jan 18, 2018

Hancock Health , based in Greenfield, Indiana experienced a ransomware attack on Thursday last week.

Employees of Hancock were forced to use offline methods to record patient health information, while IT staff tried to respond to the attack and save the encrypted files.

The attack kicked off at began around 9.30pm on Thursday night when files on its network were hit with encryption. The attack initially caused the network to operate slowly, with ransom notes being being visible on screens showing files had been encrypted. The IT team moved swiftly and started shutting down the network to restrict the success of the attack and a third-party IT firm was hired to help react to the ransomeware attack.

Operations continued as normal during the attack according to Hancock Health.

The results of an investigation into the attack uncovered nothing to suggest any patient health information was obtained by the attacker(s). The target of the attack was solely to cause disruption and lock files so the hospital would have to pay a ransom to recover its files.

An article published in the Greenfield Reporter stated that the attack involved a variant of ransomware called SamSam. The ransomware variant has been seen in numerous attacks on healthcare companies in the USA over the past 12 months. The unknown attacker(s) requested a payment of 4 Bitcoin to purschase the keys to remove the encryption from the network.

In line with HIPAA regulations, Hancock Health had performed backups and no data would have been lost following the attack; however, the process of recovering files from backups takes a major amount of time. The hospital would not have had access to files and information systems for some time if backups were used to restore the data. On Saturday, steps taken to pay the ransom.

The decision to pay the ransom was only taken after a lot of consideration. While patient services were not harmed, restoring files from backups would almost definitely have harmed patients and paying the ransom agreed to be the best option to avoid any disruption. The keys to remove the encryption were handed over within two hours of the ransom being paid and the network was brought back into operation on Sunday.

In most cases, these attacks are incurred when employees respond to phishing emails or visiting malicious websites online, although Hancock Health says this attack was not the result of employee being fooled by a phishing email.

Hancock Health has now added software that can detect unusual network activity that suggests an intrusion or ransomware attack, which will permit measure to be taken quickly to block, and limit the extent, of any additional attacks.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter