Ransomware Shuts Down Practice Over $6500!
The healthcare sector has been hearing about ransomware and its dangers for years now. A recent breach headline highlights just how devastating this type of attack can be if a practice is ill prepared for it. In Battle Creek, Michigan, a two-doctor practice found their system encrypted with ransomware. The Brookside ENT and Hearing Center could not access their patient records, appointment schedule, or payment information that was housed in their servers, effectively shutting down the practice until the problem was dealt with.
Of course, the attackers offered a decryption key for ransom; $6,500 dollars to restore access to all of the practice’s records. However, William Scalf, MD and John Bizon, MD, the two owners of Brookside ENT and Hearing Center, decided not to pay this sum. Their reasoning was that, since the attackers could not offer a guarantee that the files would be decrypted, there was nothing to stop them simply demanding another payment. Perhaps the doctors thought that the threat would dissipate, or that there would be some opportunity to negotiate. However, this was not the case. In the absence of payment, the attackers deleted all files on the practice’s system. No information was recoverable. Rather than trying to rebuild all the information that was lost, the two doctors decided to take early retirement and closed their practice for good.
This conclusion is troubling for a number of reasons. A practice with proper back-ups would have been able to simply restore their data from a secure copy kept off-premise or in the cloud, and never worry about paying the ransom. Perhaps a day or two of data may have been lost in the transition, but the vast majority of patient data and practice records would be safe. It is clear from the way this worked out that the practice did not have the option to restore their system from a backup.
However, the more troubling outcome is the loss of patient records. The doctors making a judgment call on whether they want to do the work of rebuilding their practice is a call they get to make. But patients losing the records of tests, visits, and even surgeries due to this practice not having data backed up is unconscionable. This may lead to great cost to some patients who may need to retake tests to get results that were lost. One patient reported having to find a new practice to take her daughter to for a follow-up appointment after a surgery, but without any of the records from that surgery.
The Brookside ENT and Hearing Center will officially close on April 30th due to loss of all operating data. It should be noted that not possessing recoverable patient records is a violation of HIPAA rules, and even with the practice closed the doctors may be at risk of a HIPAA fine for not maintaining their records for the appropriate amount of time. While such ransomware attacks and breaches are not always avoidable, such a total loss is easily prevented with comprehensive backup solutions. Every practice should review and test their backup procedures as part of their basic HIPAA compliance activities.
Healthcare Technology Advisors offers comprehensive compliance services and consulting. Call (314)312-4701 today to schedule a meeting with Derrick Weisbrod if you feel your practice’s compliance may be at risk.