Hackensack Meridian Health pays up after ransomware attack

The undisclosed sum paid by the New Jersey health system, one of the state’s largest, is covered by an insurance plan that helps it cover costs related to cyber attacks, officials said.
By Nathan Eddy
11:27 AM

New Jersey’s Hackensack Meridian Health has been forced to pay up following a ransomware attack, the health system said on Friday, according to a report in the Asbury Park Press.

WHY IT MATTER
The undisclosed sum paid out by the health system, one of the state’s largest, is covered by an insurance plan that helps it cover costs related to cyber attacks and the associated costs, Hackensack Meridian told the news outlet.

News of "external technical issues," which caused interruptions across the health system’s network, first broke on December 5 – the organization told the newspaper that it was unable to disclose the true nature of the disruption at the time due to an ongoing investigation.

In a statement provided to the paper at that time, Hackensack Meridian said the technical issues had been limited to rescheduling a "small number" of non-emergency procedures, and the organization said it was not aware of any impact to the confidentiality of health information, including patient records.

The attack, which affected all 17 hospitals and clinics, forced the health system to use paper records as it worked to bring systems back online, during which time the FBI, law enforcement and regulatory authorities were contacted to conduct investigations into the breach.

THE LARGER TREND
The Hackensack Meridian incident is just the latest in a string of high-profile ransomware attacks across the globe, including a November attack on a cloud vendor that froze nursing home EHR data.

In October, Alabama hospital system DCH had to pay to restore systems after a ransomware attack forced them to shift operations into manual mode, using paper copies in place of digital records – the organization purchased a decryption key from the hackers for an undisclosed sum.

Meanwhile, healthcare data is at risk as hackers innovate and hone their techniques, and the black market for hackers and cybercriminals is thriving, particularly regarding sales of credentials for Remote Desk Protocol servers – a popular entry point for ransomware – according to a September report from cloud security provider Armor.

U.S. Department of Health and Human Services, the FBI and most security experts agree that health organizations should not pay ransoms to cyber attackers. The fact that Hackensack Meridian had insurance for such an event may have influenced their thinking.

For those health organizations looking to invest in cyber insurance, there are many factors to consider before signing on with a policy.

ON THE RECORD
"We believe it's our obligation to protect our communities' access to health care," said Hackensack Meridian Health in the latest statement provided to the paper, adding that the breach "makes it clear that even the best preparation may not prevent a successful attack."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209