Hancock Health, a health system based in Greenfield, Indiana, was hit with a ransomware attack Thursday night, and in response, according to media reports, health system officials shut down the entire network and eventually paid the hacker a bitcoin ransom in the amount of $55,000.
According to a post on the health system’s website, at approximately 9:30 p.m. on Thursday, January 11, an attack on the information systems of Hancock Health was initiated by an “as-yet unidentified criminal group.”
“The attack used ransomware, a kind of computer malware that locks up computers until a ransom is paid, usually in the form of Bitcoin. Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected,” the health system stated.
And, health system officials said that Hancock is continuing to work with national law enforcement to learn more about the incident. Health system officials also reported that the particular type of ransomware used in the attack was the SamSam ransomware.
According to an article by local newspaper the Greenfield Daily Reporter, hospital officials told the newspaper that Hancock Health paid a $55,000 ransom to hackers to regain access to its computer systems. During the time the network was done, doctors and nurses reverted to pen and paper to keep track of patients’ medical records, local media reported. And, health system officials posted written notices outside Hancock Regional Hospital informing patients and employees of problems with the hospital’s computer system.
Greenfield Daily reporter Samm Quinn wrote that the health system paid the ransom around 2 a.m. Saturday, and about two hours later, the files had been returned, citing health system officials.
According to local media reports, staff members at the hospital noticed computers were running slower than usual Thursday evening. “A short time later, a message flashed on a hospital computer screen, stating parts of the system would remain locked until a ransom was paid. Hospital leaders later learned the hacker gained access to the system by using the hospital’s remote-access portal, logging in with an outside vendor’s username and password,” as reported by the Greenfield Daily Reporter.
The article quoted Hancock Health CEO Steve Long as stating that the attack was not the result of an employee opening a malware-infected email, a common tactic used to hack computer systems.
Quinn wrote in the Greenfield Daily Reporter article posted January 15, “Part of the health network had been held hostage since late Thursday, when ransomware locked files including patient medical records. The hackers targeted more than 1,400 files, the names of everyone temporarily changed to ‘I’m sorry.’ They gave the hospital seven days to pay or the files would be permanently encrypted, officials said.”
Quinn further reporter quoted Long, Hancock Health CEO, as stating that an analysis since the attack confirmed no personal patient information was taken by the hackers, believed to be located in eastern Europe.
In that same article, Quinn reported, “The affected files were backed up and could have been recovered, but restoring them would take days — maybe even weeks — and would be costly, Long said. And, Quinn also reported, “From a business standpoint, paying a small ransom made more sense, he said.”
And, Quinn reported that the hacker asked for four bitcoins. “At the time of the transfer, those four bitcoins were valued at about $55,000,” she reported.
And, according to Quinn’s reporting, health system officials faced some tough decisions about whether to pay the ransom. The article quotes Long as saying, “These folks have an interesting business model. They make it just easy enough (to pay the ransom). They price it right.”
The hackers released the files early Saturday after retrieving the bitcoins uploaded to the web, Quinn reported. “By Monday, the hospital’s computers systems were up and running, though Long anticipated there could be some glitches to address in coming days and weeks,” Quinn wrote in the article.
And, Quinn reported that by midday Saturday, “the hospital’s network servers were up and running, WiFi was enabled, and IT staff members were inspecting each of the files to ensure they weren’t infected with any other malware. By Sunday evening, Hancock Health’s electronic medical record system was fully functional again for the first time since Thursday.”
The health system enlisted the help of a cyber security company as well as the FBI. The Greenfield Daily Reporter article cites Chris Bavender, a spokeswoman for the FBI’s Indianapolis field office, who declined to comment on the situation, citing the agency’s ongoing investigation into the attack at Hancock Health.