Brookside ENT & Hearing Services has permanently shut its doors after a devastating malware incident destroyed all of its electronic medical records. It is apparently the first U.S. healthcare provider closes after a ransomware attack, according to cybersecurity experts.
Four breaches of patient files have already been reported this year in Minnesota, where hackers are attacking hospitals and clinics in increasing numbers. However, previous attacks have led to only minor workflow interruptions.
Ransomware is malicious software (malware) that denies users access to their information until a payment is made. The demands are typically delivered via email. Ransomware has become the most common form of malware affecting businesses, according to Verizon’s 2018 data-breach report.
This particular ransomware began by deleting all of the practice’s medical records, billing information, and appointment logs, including backups. The attackers offered a duplicate of the deleted files, to be unlocked with a password provided by the attackers after a $6,500 ransom was wired to an account, according to the clinic’s doctors.
Dr. William Scalf, 64, and Michigan state senator Dr. John Bizon, 66, refused to pay the attacker’s ransom. There was no guarantee the password would work or that the malware wouldn’t return, Scalf said in an interview.
Only about one third of providers who pay the fee requested by hackers will receive restored access to their data.
Scalf said the attack was not formally reported as a HIPAA breach because an “IT guy” advising them determined the attackers did not view any of the patient records. However, faced with rebuilding their entire practice due to the loss of records, the doctors decided to close their business April 1 and retire about a year earlier than planned.
However, because they had lost access to their patient records, they had no way to communicate closing to their patients. “We didn’t even know who had an appointment in order to cancel them,” Scalf said. “So what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”
Local resident Ann Ouellette’s teen daughter lost her records in the attack, Ouellette told west Michigan CBS affiliate WWMT. Her daughter developed a sinus infection a month after surgery and must find a new doctor for follow-up care. Hearing-test results were also lost in the attack.
Researchers suggest that this is the first healthcare practice in the country to actually shut down entirely due to a malware incident. Though some of the data may be recoverable, it’s impossible to know until the system has been accessed.
Most small businesses are underprepared for ransomware threats, which are largely caused by human error. Improper employee training on the dangers and risks of cybersecurity threats can lead to massive mistakes and allow hackers access to sensitive healthcare data.
Healthcare systems are not the only small businesses in danger from attackers, but personal medical records are uniquely valuable. Healthcare data is worth three times more than financial information on the darkweb–and due to minimal security budgets, smaller practices are easy targets for ransomware attacks.
Four healthcare providers in Minnesota have reported breaches of protected health information (PHI) to the U.S. Health and Human Services Department in 2019. One such attack was a malware attack at a Woodbury reproductive medicine clinic affecting 40,000 patients, the second-largest PHI exposure in Minnesota since reporting began in 2010.
Other data breaches include hacking and email phishing at a Duluth-area behavioral health clinic (1,200 records), a Catholic-run hospital Baudette (885 records) and a Blue Earth community hospital district (2,143 records).
At this pace, Minnesota will exceed the 10 healthcare data breaches reported in 2018. An email hacking incident at the Minnesota Department of Human services affected 20,800 records in the largest breach last year.
A stolen laptop owned by medical suppliers Empi and DJO LLC was the largest reported healthcare breach ever in Minnesota, with 160,000 medical records compromised, reported in August 2015. However, the most infamous data breach in Minnesota was a stolen laptop from billing consultant Accretive in 2011. The laptop contained unencrypted medical records of 14,623 Fairview Health Services patients.
Although there are many reported incidents, security researchers say even more incidents go unreported where providers are quietly paying ransoms to their attackers to unlock their files.
Though Scalf worried an investigation would result in charges, he and Bizon reported the ransomware attack on Brookside ENT to the FBI. All ransomware attacks should be reported immediately. Healthcare entities should find a reputable data forensics specialist to review the files. HIPAA breach notification laws also require that data breaches of unsecured PHI be reported to the Department of Health and Human Services (HHS). The regulation also sets standards for notifying patients that have been affected by a data breach, especially those resulting from a ransomware incident.
In the case of Brookside ENT, both the original files and backups were corrupted, emphasizing how important it is to have backups kept offline, separated from the originals, where they are less likely to be affected by the same attackers. Off-site back-up allows healthcare providers to resume operations in the event of a ransomware incident.
To help business of all sizes improve their cybersecurity, the Healthcare Sector Coordinating Council in partnership with the U.S. Department of Health and Human Services published “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.” The four-volume guidebook “seeks to raise awareness for executives, healthcare practitioners, providers, and health delivery organizations, such as hospitals.”
In this age of increased vulnerability to sensitive healthcare data, the best way for providers to mitigate their risk is by implementing an effective HIPAA compliance program. HIPAA security standards demand that providers implement off-site back-up, as well as HIPAA encryption measures to keep data safe, even in the event of a potential cybersecurity incident.
