Indiana Hospital System Hit By Ransomware

Hancock Health (“Hancock”), a health system in Indiana, was hit by a ransomware attack in January of this year that prevented Hancock from accessing its own information systems. On the night of the attack, Hancock IT staff noticed their system performance slowing before the system’s computer screens began showing a message stating that they had been hacked and demanding payment in Bitcoin to receive the needed decryption keys from the hackers.

Luckily, Hancock had effective and up-to-date disaster response and recovery policies and procedures in place. Upon notice of the attack, Hancock implemented their disaster response and recovery plan and powered down over 1,200 desktops and all of their network systems. During this time period, Hancock’s electronic medical record system was taken offline and staff utilized paper records. Hancock then immediately began working with their outside counsel and a cybersecurity firm to put together a team to properly respond to the incident. After only a few days of investigation, the team identified the point from which the hackers infiltrated their system – a system back-up site – and concluded that the infiltration was made possible because the hacker group had stolen system log-in credentials from a third-party vendor responsible for support of one of Hancock’s information systems.

Hancock eventually made the decision to pay the ransom to receive the decryption codes, out of a concern that the hackers had also corrupted their back-ups – which later turned out to be accurate. Within the span of a week, Hancock’s team had successfully implemented a two-stage response to the attack: isolating the encrypted ransomware files from the remaining files and determining whether patient data had been pulled from the systems, and procuring Bitcoin to make the ransom payment while working with their cybersecurity insurance carrier to determine if the incident would be covered under their policies. Within five days of discovering the initial ransomware, Hancock’s team had the decryption keys, had decrypted over 1,400 files, and had Hancock’s critical information systems back up and running as normal.

This story illustrates the importance of having effective disaster response and recovery policies and procedures in place. This situation, though regrettable, could have been much worse had Hancock not been able to address the issue in an organized fashion as quickly as it did. Having a complete and effective HIPAA/HITECH compliance program in place, with regular testing, review and training, can help ensure that such an event is addressed in the proper way as quickly as possible to limit the damage done. Although these incidents are not always completely preventable, they can be effectively planned for. If you or the covered entity or business associate you work with have any questions about HIPAA, HITECH, or data liability and compliance in general, contact an attorney well-versed in these fields.