Why an Indiana hospital chose to pay its ransomware attackers

When a ransomware attack hit Greenfield, Ind.-based Hancock Health Jan. 11, the hospital decided to pay the hackers to regain access to their files—which federal investigators have urged targets of these attacks not to do. Hancock president and CEO Steve Long, however, said it was the right decision because backup files had been compromised.

As Long explained in a blog post, the attackers were believed to be a “sophisticated criminal group” in Eastern Europe that used the login credentials of a IT hardware vendor for the hospital, not through the more common ransomware route of using phishing emails. They gained access to a server from its emergency backup facility to deliver malware known as “SamSam,” which encrypted the hospital’s data files.

“The attack on Hancock Health was not random, it was a pre-planned event that used the hacked login ID and password of an outside vendor to gain entrance into the system,” Long wrote. “The fact that this was a premeditated attack specifically targeted on a health care facility makes the attack indefensible in my estimation.”

As executives, attorneys, cybersecurity specialists and the Federal Bureau of Investigation (FBI) became involved early in the morning on Jan. 12, the source of the attack was discovered. Because the connection between the backup site and the hospital had been compromised, replacing the encrypted data with a backup wouldn’t have been easy, so the hospital decided to pay the attackers $55,000 in bitcoin to unlock the files.

Several days after coughing up the ransom, Long said the hospital learned backup files from systems other than health record themselves had been “purposefully and permanently corrupted by the hackers.” This means backing up the rest of its systems would’ve never been a possibility.

What followed, Long said, was an arduous weekend restoring the hospital’s computer systems and examining whether any patient data had been compromised. This included installing new software and hardware for additional threat detection, physically turning on the tens of thousands of computers in the hospital and then transferring 70 hours’ worth of paper records back into the restored system.

“Amazingly, all of this happened in less than four days,” Long wrote. “During that short time, babies were born at the hospital, surgeries were completed at the hospital, patients were treated in the emergency room and many were admitted to the hospital. X-rays were taken, CT and MRI scans recorded, and laboratory tests were accomplished at the hospital. Patients visited our physician clinics and wellness centers. Food was served in our cafeteria and rooms were cleaned. In short, life went on. We even had a winter storm, and still, life went on.”

While Hancock was able to get its files back, other facilities which decided to pay the ransom haven’t been so lucky. In 2016, Kansas Heart Hospital paid its ransomware attackers, who then refused to unlock the files without a second payment.

Paying the ransom may also encourage hackers to target more healthcare facilities or Hancock itself again, now it’s seen as willing to pay to regain its data.

“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” said James Trainor, former assistant director for the FBI’s cyber division. “And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.