There is a reason hackers have started targeting hospitals and medical practices. Not only is their cyber security known to be woefully lacking (despite the best efforts of the U.S. Department of Health and Human Services [HHS] and HIPAA regulations), but the electric Patient Health Information (ePHI) can literally be life and death. Meaning? The healthcare industry has no choice but to pay up.
This is the exact scenario Virtual Care Provider (VCP), a Milwaukee-based company servicing over 100 nursing homes across the US, found itself in last month. They had to notify their patients that they did not have access to their medical records, meaning they were unable to communicate any prognoses to their patients, because they fell victim to a ransomware attack that was holding their ePHI hostage until the company coughs up a staggering $14 million in ransom.
On Nov. 18, the day after the hack was uncovered, VCP sent out notification to its clients that while they were figuring out if any of their PHI had been compromised, they did know that approximately 20 percent of their services were impacted, and they had to rebuild 100 of their servers.
What Hold Security, the company hired by VCP to investigate the breach, has discovered since that time is quite disturbing: they were breached by Russian hackers who used phishing emails to infect their network, undetected, over the course of 14 months.
VCP doesn’t have $14M to give to the cybernappers, resulting in many of their nursing homes being unable to:
- Access the medical records of their patients
- Use the internet
- Issue paychecks
- Dispense meds
Not only does this cause gave concern for many patients’s overall health, but it’s unknown if the facilities themselves will be able to brave this storm, as they are unable to bill Medicare or insurance companies for reimbursements. The average ransom is just under $40,000, and it’s unknown why the hackers are requiring such a huge pay out, but what is clear is that VCP can’t pay what’s being demanded.
And do you know the worst part of this all?
This situation was completely avoidable. Had VCP been HIPAA compliant… Had they trained their employees in cybersecurity… Had they, at the very LEAST, backed up their data… They wouldn’t be in this predicament. Sure, it may be a bit costly to make sure the business’s cyber security is in check, but it wouldn’t have put them out of business, and it most CERTAINLY wouldn’t have put their patients’ health in peril.
Is your business HIPAA compliant? Contact us today for a free consultation, and avoid these mistakes in the future.