In fall 2021, staffers at Johnson Memorial Health were hoping they might lastly capture their breath. They were simply coming out of a weeks-long rise of covid-19 hospitalizations and deaths, sustained by the delta variation.
On Oct. 1 at 3 a.m., a Friday, the health center CEO’s phone called with an immediate call.
“My chief of nursing stated, ‘Well, it appears like we got hacked,'” stated David Dunkle, CEO of the health system based in Franklin, Indiana.
The infotech group at Johnson Memorial found a ransomware group had actually penetrated the health system’s networks. The hackers left a ransom note on every server, requiring the medical facility pay $3 million in bitcoin within a couple of days.
The note was signed by the “Hive,” a popular ransomware group that has actually targeted more than 1,500 healthcare facilities, school districts, and monetary companies in over 80 nations, according to the Justice Department.
Johnson Memorial was simply one victim in an increasing wave of cyberattacks on U.S. health centers. One research study discovered that cyberattacks on the country’s healthcare centers more than doubled from 2016 to 2021– from 43 attacks to 91.
In the after-effects of a breach, the focus regularly falls on the danger of personal client details being exposed, however these attacks can likewise leave medical facilities hemorrhaging countless dollars in the months that follow, and likewise trigger interruptions to client care, possibly putting lives at stake.
After its own attack, the personnel at Johnson Memorial all of a sudden needed to go back to low-tech methods of client care. They depend on pen and paper for medical records and notes, and sent out runners in between departments to take orders and provide test outcomes.
A couple of hours after that 3 a.m. call, Dunkle was on the phone with cybersecurity professionals and the FBI.
The burning concern on his mind: Should his health center pay the $3 million ransom to reduce disturbances to its operations and client care?
Dunkle stressed over possible fines imposed by the Treasury Department’s Office of Foreign Assets Control versus the health center if it paid a ransom to an unidentified entity that ended up being on a sanctions list.
Dunkle likewise stressed over possible claims, since the hackers declared they took delicate client details they ‘d launch to the “dark web” if Johnson Memorial did not pay up. Other health information breaches have actually caused class-action suits from clients.
The Office for Civil Rights, within the Department of Health and Human Services, can likewise enforce punitive damages versus healthcare facilities if client information safeguarded by federal personal privacy laws is disclosed.
“It was details overload,” Dunkle remembered. All the while, he had a healthcare facility loaded with clients requiring care and staff members questioning what to do.
In the end, the health center did not pay the ransom. Leaders chose