Louisville, Kentucky-based Park DuValle Community Health Center recently paid hackers a ransom of $70,000 to unlock the medical records of about 20,000 patients, after a ransomware attack locked the providers out of their system for almost two months, according to local news outlet WDRB.
The nonprofit health center, which provides care for low-income patients and the uninsured, fell victim to a ransomware attack on June 7, which impacted its medical records system and appointment scheduling platform.
Officials said it was the second ransom-based attack on their computer system since April. The previous attack locked down computers for about three weeks. However, officials said they were able to rebuild its systems afterward using backups that were stored elsewhere. They did not pay the first ransom.
However, after the second attack, Park DuValle officials contacted the FBI and outside information specialists and decided to pay the ransom instead of rebuilding the system from scratch.
Payments were made installments: one paid two weeks ago and the other was paid last week in the form of 6 bitcoins, or about $70,000.
The report did not outline the details that differed in this attack from the ransomware event in April that prompted Park DuValle to pay the ransom instead of rebuilding its system again. Typically, the FBI and security researchers all warn against paying ransoms as there is no guarantee data will be restored. Further, paying ransoms encourages hackers to continue targeting the sector.
The hackers provided encryption keys, which the health center is using to restore the data. Officials said the hope is to have full data access restored by August 1. In total, officials said the ransomware attack has cost the provider upwards of $1 million.
The four Park DuValle clinics have been operating on downtime since the event, writing down all patient and treatment information on paper and storing files in boxes. As a result, clinicians have been unable to schedule appoints, while patients had to provide details on their medical histories or treatments from memory.
The ransomware attack impacted the records of both current and former patients, which includes insurance details, contact information, and medical data. Officials said hackers did not obtain the data, but they are without access to the information: “It’s like having a piece of paper and it’s in a foreign language that you don’t understand.”
Officials have notified the Department of Health and Human Services already, given Park DuValle is partially government funded. The network firewalls show there was no outgoing data, and therefore no breach, according to officials.
Ransomware attacks are typically monetarily driven. But given the complexity of the attacks, in 2017, HHS reworked its ransomware-related definition for breach notifications to place the burden of proof on providers. Park DuValle will need to be able to prove, not only that the data did not leave the system, but that hackers did not view or access patient information.
Park Duvalle is one of several providers to report ransomware incidents in the past two weeks. On July 19, Bayamon Medical Center and Puerto Rico Women and Children’s Hospital reported they fell victim to a similar attack, which encrypted patient files of more than 500,000 patients. The notice did not show whether officials paid the ransom or whether those files have been recovered.
While ransomware attacks have declined in most sectors, healthcare and government systems have remained prime targets given their typically vulnerable systems and need for data access. A recent report showed that the cost of ransomware attacks are on the rise, causing nearly 10 days of downtime.