Hospitals snail-mailed ransomware hoax; FBI investigation ongoing
A hospital in California was troubled by a ransomware attack only to discover the incident was a hoax.
According to a statement released by Hazel Hawkins Memorial Hospital, the organization was contacted by an unknown party—via a physical letter sent through the mail—claiming they had accessed the hospital’s “Information Systems over the past several weeks” and intended to publish the data unless a ransom was paid.
The hospital said it immediately launched an investigation alongside its cybersecurity partner, bringing in local, state and federal authorities. The team soon discovered that the ransom note was a “social engineering hoax” and that there was no ongoing breach of its network.
Furthermore, the group sending the suspicious letters has not been linked by authorities to any real-world ransomware attacks, the hospital added.
“Information privacy and security are among our highest priorities,” Hazel Hawkins CEO, Mary Casillas, said in the press release. “Upon learning of this event, we moved quickly to investigate and assess the security of our systems. We are confident that no data compromise occurred.”
After “extensive analysis,” Hazel Hawkins confirmed that its patient data is safe. The hospital also linked to a post from the American Hospital Association (AHA), which stated that such scams have become more common in recent weeks.
“It is highly unusual and highly unlikely that a real foreign ransomware group would send hard copy letters through the USPS,” John Riggi, AHA national advisor for cybersecurity and risk, said. “I have personally reviewed the letters and discussed the situation with some of the victim organizations and the Federal Bureau of Investigation (FBI). The consensus reached was that these extortion attempts were most likely hoaxes.”
The AHA added that the FBI is investigating these letters to identify the perpetrator. Until the culprit is found, the AHA recommends that hospitals report suspicious mail to the authorities.
“It is also recommended that the letter and accompanying envelope be handled minimally and preserved in a larger paper envelope for possible fingerprint and forensic examination by law enforcement,” Riggi added.
The AHA said a statement from the FBI is forthcoming. It’s not clear how many healthcare entities have been targeted by the scam.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.