Content, Breach, Ransomware

Ransomware Crooks Hit Two Healthcare Organizations, One Pays, the Other Didn’t Say


Cyber kidnappers love holding healthcare organizations hostage. It’s a particularly repugnant thing to do, hijacking people’s medical information, blockading access to critical applications and such, all in a demand for money. No matter, the medical industry is a favorite target of ransomware extortionists, who so far have shown no remorse for their dirty deeds. Don’t hold your breath on that one.

Now we have two more episodes back-to-back, the first culminating in a $50,000 payment to the crooks to restore a regional medical group's systems, and the second a bit less injurious but no less meaningful. In the first instance, Hancock Health, a Greenfield, IN-based hospital network, coughed up the $50,000 ransom demanded by cyber gangsters who had encrypted patient records and barricaded company emails in a SamSam attack, IndyStar reported.

Hancock Health Pays Ransomware

The hijackers, who apparently gained access through a third-party vendor’s account, changed the names of some 1,400 filed to ‘I’m sorry’ and demanded four bitcoins to reverse the damage. Hancock determined the amount of money was worth it, deeming it a business decision. "The amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients," Rob Matt, Hancock’s chief strategy officer, told IndyStar.

On paper it appears he was right. Soon after Hancock met the bitcoin demand, the cyber crooks unlocked the health facility’s data. In the aftermath, Hancock said that patient records were not compromised, life support and other critical hospital services were not affected and patient safety was never at risk.

Will Hancock’s seemingly quick decision to pay the ransom embolden other kidnappers to lower their demands but increase the frequency of their attacks on healthcare outfits? Or is Hancock a one off? The company's CEO Steve Long reportedly said the hospital could have retrieved backup files rather than pay the ransom but feared it would take too long.

Another Ransomware Attack: Allscripts

In a second, unrelated attack, Allscripts, which sells sells software and services to healthcare providers, was hit with a ransomware attack fortunately confined to only a few of its applications. Allscripts’ first run-through indicated the attack was more inconvenience than data theft.

“Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems,” an Allscripts spokesperson told FierceHealthcare. At this point, Hancock isn't saying if it paid the shakedown demand or if one was even presented by the culprits.

Evidently, an Allscripts user tipped HIStalk to the attack, which is said to have crashed applications hosted on two data centers in North Carolina, including Allscripts' Professional EHR platform and some e-prescribing systems. Two instances in the field indicated it’s the latter functionality that went down, FierceHealthcare reported. Northwell Health apparently unhooked from Allscripts data centers as providers were unable to use the application to digitally prescribe medications. And, a physician with the Sunflower Medical Group also reported the same difficulties, the report said.

As is almost always the case in ransomware attacks, just who took down Hancock and Allscripts remains a fill-in-the-blanks exercise at this time.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.