Your Money or Their Health! Hospital Data Held for Ransom

Data security in hospitals is a fundamental part of patient privacy, and Health Insurance and Privacy Protection Act (HIPPA) prescribes protection against unauthorized release of personal health records. But instead of stealing patient information, the new cyber threat locks hospital computers and prevents the providers from accessing their data until they pay a ransom.

Ransomware is a cyber threat that has been around since 2005. This type of malware locks the victim’s keyboard and screen, until ransom is paid. In recent years, both the malware and the payment methods have upgraded. After hackers developed ransom cryptware, the files and network of the target computer can be encrypted to be accessible only with a key that the cryptware generates. Hackers also switched to bitcoin, which is an anonymous payment mode that is quick and easy for attackers to receive ransom payments. In 2014, the FBI estimated that Ransomware affected over 230,000 computers and resulted in more than $27 million dollars in payments to hackers in just a two-month span. This cyber security crisis has prompted the US Department of Homeland Security and the Canadian Cyber Incident Response Centre to issue a joint alert, cautioning that, “[i]nfections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.” The complexity of the code and the time it takes to resolve the threat have forced numerous victims, like the South Carolina School District and local police departments in several states, to cave to the hackers’ ransoms. Even a high ranking FBI official advised victims to consider paying: “The Ransomware is that good. . . . To be honest, we often advise people just to pay the ransom.”

Hospitals and other healthcare facilities are among the victims of the newest wave in Ransomware attacks. Hospitals are specifically susceptible to these types of attacks due to the sensitive nature of patient data. Prescription history, treatment orders, personal preferences and even advance directives are just some examples of records that providers need to be readily accessible to provide effective care to their patients. It is this urgency of access that makes hospitals the perfect victims.

The latest two Hospital Ransomware attacks reported were Hollywood Presbyterian Hospital in Los Angeles and MedStar Health, a network of 10 Maryland and D.C. hospitals. The attackers demanded similar amounts from each hospital, reportedly 40 and 45 bitcoins worth approximately $17,500, and $19,000 respectfully. With computer systems shut down, the hospital staff had to revert to hand written procedures and instructions that had to be faxed or delivered in person. Patient safety issues and treatment delays were reported at both health centers since physicians and nurses were unable to utilize all of the safeguards that electronic patient records provide. However, the two similar attacks were handled differently. 

After a week of trying to fix the problem with the FBI’s technical help, Hollywood Presbyterian decided to pay the ransom. The hospital’s CEO Allen Stepanek explained, "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key." The decision to pay was consistent with previous FBI advice, and once the funds were transferred, the hospitals’ system came back online.

MedStar, however, decided not to pay the ransom, and kept its hospitals open with limited capacity while they shut down the entire system and reinstalled its servers from back-ups. MedStar stated that they are continuing toward a complete restoration of the system’s capabilities, and that they are able to respond to their patients needs entirely. With regards to the MedStar cyber attack, the FBI warned that there are no guarantees that the system will be restored fully after the ransom is paid.

Learning from these experiences, hospitals and other healthcare facilities have to prepare for these types of cyber security breaches. It is still unclear what implications these attacks will have on providers’ liability under HIPPA, as well as the FTC’s enforcement of data security breaches. What is clear is that Ransomware attacks are a profitable tool in the hands of hackers, unfazed by the risk of harm to the health and life of patients. Health systems will certainly have to step up their game in cyber security awareness, and prepare for potential attacks by creating back-ups safe from malware penetration.


Nesko Radovic is pursuing his law degree at DePaul University College of Law in Chicago. Mr. Radovic obtained his B.S. in Business Administration from Strayer University in Washington, DC. He is an active member of the Mary and Michael Jaharis Health Law Institute, a staff writer for the Institute’s online publication, E-Pulse, and the DePaul Journal of Health Care Law. Mr. Radovic hopes to focus his career in health care-related finance, strategy and compliance issues, after graduating in December of 2017.