On May 28, 2021, Sturdy Memorial Hospital announced that it was targeted by a ransomware attack that compromised the protected health information of 57,400 patients. More details regarding the incident, and ransomware payment are discussed.
How Did the Incident Occur?
According to the breach notification posted on Sturdy Memorial Hospital’s website, they discovered a security incident that affected some of their IT systems. Upon investigation into the incident, it was determined that threat actors gained access to Sturdy’s systems on the morning of February 9, 2021, and extracted files, including patient files.
Potentially compromised protected health information includes names, address and phone number, dates of birth, Social Security numbers, driver’s license numbers and other government-issued identification numbers, medical history information, treatment or diagnosis information, procedure or diagnosis codes, prescription information, provider names, medical record numbers, Medicare/Medicaid numbers, health insurance information, and treatment cost information.
Sturdy Memorial Hospital issued a statement regarding the incident, “We paid a ransom to obtain assurances that the information acquired without authorization would not be further distributed and had been destroyed. We can never know for certain if the criminal ransomware attackers will fulfill their promises. However, to date, we are not aware of any Sturdy data that was published by the attackers.”
How Has Sturdy Addressed the Problem?
Sturdy quickly terminated the unauthorized access, and took immediate steps to secure their systems. They have also notified potentially affected patients in breach notification letters via mail. Individuals potentially affected by the incident will receive complimentary credit monitoring and identity protection services through Experian.
In response to the Sturdy also, “implemented additional safeguards and technical security measures to further protect and monitor our systems to help prevent future occurrences of this nature.”
Advice on Paying Ransom
Cybersecurity experts largely advise against paying ransom to threat actors, as it only encourages them to continue to target healthcare organizations in attacks.
Brett Callow, Threat Analyst for Emsisoft states, “Paying to prevent the release of data makes little sense but, despite this, it’s exactly what numerous organizations have done. The ‘assurances’ in cases like this are nothing more than ‘pinkie promises’ from untrustworthy bad faith actors and, unsurprisingly, there is ample evidence that the actors do not necessarily abide by those pinkie promises. Why would they?”
HIPAA Compliance and Cybersecurity
Although it is unclear at this time how threat actors gained access to Sturdy’s systems, or if Sturdy will be investigated by the HHS for the incident, if hypothetically they were investigated, the HHS would assess their compliance with HIPAA practices. Additionally, with the cybersecurity bill that essentially excuses organizations when they are breached, IF they have a recognized cybersecurity framework in place, they would not be subjected to fines. Instead the HHS would provide them with technical assistance to address their vulnerabilities.
