Ransomware attack on cloud vendor freezes nursing home EHR data

Virtual Care Provider Inc., which provides hosting and IT services to post-acute care facilities nationwide, was hit by the Ryuk variant, locking access to patient data at 110 nursing homes.
By Mike Miliard
12:05 PM

A ransomware attack carried out by Russian hackers has potentially put the safety of nursing home patients at risk, after Milwaukee-based cloud hosting firm Virtual Care Provider Inc. was hit with Ryuk encryption, preventing access to electronic health record and medication administration data.

The hackers, who demanded $14 million in bitcoin for a decryption key that VCPI cannot afford, apparently spread by the ransomware via the TrickBot virus, according to company officials, who said they are "feverishly working" to restore access to critical data.

VCPI estimates that  20% of its servers were affected by the attack. The company's clients are primarily senior living and long-term care facilities, including 110 nursing home organizations with some 80,000 computers across 45 states.

"Right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first," VCPI's CEO, Karen Christianson told cybersecurity blogger Brian Krebs.

In a statement supplied this weekend to the Milwaukee Journal Sentinel, VCPI President  Zachary Koch said the company is "working diligently to restore these systems as quickly and safely as possible."

The extent of these nursing homes' exposure depends on which of VCPI's services they use, but Christianson told Krebs that the ransomware attack impacted web service, email, phone service, billing systems and EHRs.

Ryuk ransomware attacks have been on the rise over the past year or so, since it began attracting wider notice in 2018.

As U.S. Department of Health and Human Services Healthcare Cybersecurity Communications and Integration Center explained then, Ryuk – which has similarities to the damaging SamSam virus – is designed for targeted attacks, with its encryption functionality tailored toward smaller operations.

"Ransomware attacks are still alive and well," said HIMSS Director of Privacy and Security Lee Kim in the September/October 2019 HIMSS Healthcare and Cross-Sector Cybersecurity Report. "While the volume of ransomware attacks have decreased, these attacks have become more targeted and profitable."

In a letter from VCPI to its clients obtained by the Milwaukee Journal Sentinel, Christianson and Koch said the company is "prioritizing servers that provide Active Directory access, email, eMAR, and EHR applications. We will be communicating status updates often and transparently, and, in preparation for service restoration, recommending to you the most efficient manner for your users to regain authenticated access."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media.

 Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.

More regional news

Preferred Behavioral Health Group telehealth

(Credit: Preferred Behavioral Health Group)

A person in scrubs appears on a laptop screen

(Photo by Edwin Tan/Getty Images)

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.