Cyber attacks affecting healthcare organizations show no sign of easing. A recent report by Comparitech identified at least 172 ransomware attacks on healthcare organizations since 2016. Comparitech utilized data from the Department of Health and Human Services, media reports, breach reports, and other reporting tools, and then compared this data with studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks. Comparitech faced limitations uncovering breaches, partly due to the lack of public access to information regarding breaches affecting less than 500 individuals, but Comparitech believes its findings are a representative sample of the overall problem.
According to Comparitech, there was at least one ransomware attack in every state, except Maine, Montana, New Mexico, North Dakota, and Vermont. And over 6 million patient records were affected by cyber attacks. While ransomware demands vary and may not be publicly released, Comparitech found that at least $16.4 million was demanded through ransomware attacks. However, Comparitech found that the largest losses for organizations stemmed from downtime, estimating that the cost of downtime to all healthcare providers attacked is between $158 million and $240 million. Comparitech predicted that cyber attacks will continue to pose a threat to the revenue and operations of healthcare providers.
So far, Comparitech’s predictions appear to be coming true. For example, the Pediatric Physician’s Organization at Children’s hospital (“PPOC”), an affiliate of Boston Children’s Hospital, suffered system outage after a malware attack on February 10, 2020. PPOC serves over 350,000 patients, and the attack left many PPOC practices without access to health records or scheduling calendars. PPOC has noted that 11 out of approximately 200 servers were affected. PPOC’s IT team, working with Boston Children’s Hospital’s IT department, contained the malware and quarantined the affected servers. PPOC also shut down unaffected servers as a precautionary action. However, PPOC has not released a report on the full impact of the malware attack or whether unsecured PHI was accessed.
The full impact of a cyber attack, such as the one suffered by PPOC, can take months to uncover. For instance, unauthorized individuals accessed Hospital Sisters Health System’s (“HSHS”) email messages and attachments over a three-day period in August 2019. HSHS, a 15-hospital system serving patients in Wisconsin and Illinois, engaged a computer forensic company to investigate the breach. After four months of investigating, the computer forensic company informed HSHS that attackers could have accessed patient data, including names, clinical data, social security numbers, medical insurance information, and dates of birth of more than 16,000 patients.
The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with cyber attacks and other cyber security related matters. If you need assistance with such a matter, please contact us today.