Rash of Ransomware Attacks Shows Inevitability, Imperative to Prepare

By Jane Anderson

Ransomware experts agree: Bad actors are targeting the health care sector at an accelerated pace, and if an organization lacks safeguards, it is at high risk of a data breach.

Cybercriminals view every type of organization as a moneymaking opportunity, said Rebecca Herold, president of SIMBUS360 and CEO of The Privacy Professor. However, small and mid-sized organizations can be particularly fruitful targets for them because those smaller organizations—which include many covered entities (CEs) and business associates (BAs)—don’t have dedicated positions for cybersecurity.

“Every CE and BA will be targeted at least once, but often many times,” Herold told RPP. “CEs and BAs will get hit with ransomware from at least one of the attempts if they do not provide sufficient training and keep awareness high within their workforce. They will then end up paying if they do not have a sufficient backup and recovery plan in place.” Herold added that “all these ransomware attacks have revealed that far too many organizations are woefully lacking in such preparedness.”

Ransomware spiked during the COVID-19 pandemic, and has reached seemingly epidemic proportions within the health care industry. A sampling of recent incidents reveals a wide range of organizations affected, with varying impacts:

  • St. Joseph’s/Candler, the largest hospital system in Savannah, Georgia, first detected a ransomware attack on June 17 that hobbled some systems. Restoration efforts continued into the end of June, according to a statement from the hospital system on June 29: “St. Joseph’s/Candler continues to make progress on our restoration efforts and has activated certain clinical systems. We have been and continue to admit and care for patients. We will continue to work methodically to restore remaining systems as quickly and safely as possible.”[1]

  • Ransomware at a fertility treatment provider in Atlanta resulted in a data breach that exposed sensitive personal and medical information of around 38,000 patients, according to the organization. Reproductive Biology Associates (RBA), which also co-founded MyEggBank, the largest network of donor egg banks in North America, said in its notice that the clinic first became aware of an incident on April 16.[2]

    The organization discovered that “a file server containing embryology data was encrypted and therefore inaccessible.” According to the organization, “we quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day.” RBA said the hacker “first gained access to our system on April 7, 2021 and subsequently to a server containing protected health information on April 10, 2021.”

    During the investigation, RBA said, “access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.” The fertility organization also said that “in an abundance of caution, we conducted supplemental web searches for the potential presence of the exposed information, and at this time are not aware of any resultant exposure.” Full names, addresses, Social Security numbers, laboratory results and “information relating to the handling of human tissue” was exposed in the breach, the organization said.

  • An attack that a consultant said could be ransomware hit University Medical Center in Las Vegas in late June.[3] The hacker group REvil began posting personal information online purportedly obtained in the cyberattack, including images of Nevada driver’s licenses, passports and Social Security cards for around half a dozen alleged victims. Hackers sometimes post data online in an effort to push an entity to pay a ransom demand.

    After receiving an inquiry from the Las Vegas Review-Journal, University Medical Center issued a statement confirming that cybercriminals in mid-June accessed a server used to store data. “This type of attack has become increasingly common in the health care industry, with hospitals across the world experiencing similar situations,” the medical center said.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings