Your Medical Records Could be Held for Ransom

Last month a Los Angeles hospital’s computer system was taken over by hackers and the criminals demanded a ransom payment in Bitcoin to release the electronic medical records.

From the hospital’s press release:

“On the evening of February 5th, our staff noticed issues accessing the hospital’s computer network. Our IT department began an immediate investigation and determined we had been subject to a malware attack. The malware locked access to certain computer systems and prevented us from sharing communications electronically. Law enforcement was immediately notified. Computer experts immediately began assisting us in determining the outside source of the issue and bringing our systems back online. The reports of the hospital paying 9000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000. The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this. HPMC has restored its electronic medical record system (“EMR”) on Monday, February 15th.”

Ironically, three days prior to this incident, on February 2nd, OCR released on its Security Listserv, the following information on ransomware:

“Ransomware is malicious software that, when deployed, effectively walls off data so that it is inaccessible to authorized users. Ransomware frequently infects devices and systems through spam and phishing messages, botnets, exploit kits, compromised websites, and malvertising. Ransomware uses a social engineering trick to get potential victims to click on malicious email attachments or open crafted Short Message Service (SMS or text) messages, which lure them to compromised or malicious websites. Ransomware targets all sizes of businesses and institutions, home computers, mobile phones, and other devices.

According to the FBI, use of ransomware by cybercriminals has increased significantly recently. Reports by IBTimes claim that cybercriminals from many different countries are increasing ransomware attacks on U.S. targets. Also, a joint study conducted by several security firms estimates that creators of ‘CryptoWall 3.0,’ a ransomware, have obtained over $325 million from victims since its January 2015 launch. Fox-IT, a cybersecurity company, reported that ‘CryptoWall,’ ‘CTB-Locker,’ and ‘TorrentLocker’ are three top active ransomware programs. Cybercriminals charge from hundreds to thousands of dollars to unlock the data, and have been collecting ransom payments using digital payments systems such as ‘MoneyPak,’ ‘CashU,’ ‘Reloadit,’ and ‘Bitcoin.’

To combat the threat of ransomware, Covered Entities and Business Associates should consider:

  • Backing up data onto segmented networks or external devices and making sure backups are current.
  • Ensuring software patches and anti-virus are current and updated.
  • Installing pop-up blockers and ad-blocking software.
  • Implementing browser filters and smart email practices.



The Department of Homeland Security (DHS): – (For Ransomware remediation)

The Federal Bureau of Investigations (FBI): – (To Report ransomware schemes)”

Donna Vanderpool, MBA, JD – Vice President As Vice President of Risk Management, Ms. Vanderpool is responsible for the development and implementation of PRMS’s risk management services for The Psychiatrists’ Program. Ms. Vanderpool has developed expertise in the areas of HIPAA and forensic practice, and has consulted, written and spoken nationally on these and other healthcare law and risk management topics. She most recently contributed to a chapter in Gun Violence and Mental Illness (APPI), authored chapters on telepsychiatry in Mental Health Practice in a Digital World (Springer) andPsychoanalysis Online 2(Karnac). She also has co-edited and contributed chapters to several other clinical textbooks. Prior to joining PRMS in 2000, Ms. Vanderpool practiced criminal defense law, taught business and legal courses, and spent eight years managing a general surgical practice. Ms. Vanderpool received a Bachelor’s degree in Business Administration and Management from James Madison University. She also earned a Master of Business Administration degree and Juris Doctor degree from George Mason University.Follow Donna on LinkedIn.

Categories: PRMS Blog