Ransomware attack leaves 5 years of patient records inaccessible at Colo. hospital

The 25-bed hospital, which did not pay the ransom, is still working to get full access to files from August 2012 through August 2017.
By Kat Jercich
01:58 PM

Rangely District Hospital in Rio Blanco County, Colo., issued a notice last week that a ransomware attack had targeted the software necessary to access five years of patient records. 

In addition, the notice said, RDH can no longer access the records of patients who received home health services between June 2019 and April 9, when the ransomware was discovered.

Although the hospital was able to recover some of the files from backups and other sources, the notice said, "some electronic records are unavailable or have not been recovered."

Learn on-demand, earn credit, find products and solutions. Get Started >>

WHY IT MATTERS

RDH is a 25-bed nonprofit critical access hospital in Rangely, Colo., a town of about 2,300 near the Utah border. 

According to forensic analysis, the hospital said, a foreign actor gained access to RDH's systems on April 2 before launching the ransomware attack – an automated file-encryption process – a week later. 

RDH did not pay the ransom, and the identity of the cybercriminal behind the attack is still unknown. 

"The investigation determined that the ransomware was launched to lock RDH out of its files in an effort to extort money; it did not result in viewing or exporting of files containing any patients’ health information," said the notice released by the hospital.

The ransomware infected proprietary software the hospital uses to view files in a previous Meditech database, which RDH had stopped using in August 2017. 

"The type of information that has not been recovered or to which access has been lost includes medical records entered in the Meditech database between August 2012 to August 2017, and home health records between June 2019 and April 9, 2020," the notice explained. 

The records did not include credit card or bank account information, but they did contain names, dates of birth, social security numbers, diagnoses and conditions, and health insurance, claims and billing information, among other data. According to the hospital, "none of the files was viewed or exported from the hospital’s systems by the cybercriminal."

RDH said it's made changes to its remote network access policies and implemented password changes on all authorized user accounts. It is researching more data backup options, and has purchased Carbon Black software technology to flag any potential breach during restoration.

RDH representatives did not respond to requests for comment about how much patient data it was able to restore or how the breach occurred. 

"The hospital continues to work on efforts to gain access to all files in the Meditech database," the notice said. 

WHY IT MATTERS

Cyberattacks on health systems have continued to ramp up during the COVID-19 pandemic, with cybercriminals targeting individuals hungry for knowledge about the novel coronavirus crisis.

Phishing is among the most common causes of data breaches, with attackers frequently taking over users' Office365 accounts, installing ransomware or malware, or intruding on the network after gaining access. 

Security professionals have specifically pointed to ransomware as an issue organizations will face for years to come.

"Ransomware surged in 2019, and there is no foreseeable slowdown. All industry segments were impacted. Manufacturing and professional services were particularly hard hit, followed closely by healthcare, education, and government entities. The amount of ransom demanded and actually paid dramatically increased compared to 2018," said the authors of the "BakerHostetler Data Security Incident Response Report" released in May.

ON THE RECORD

"Although there was no indication that personal information was viewed or exported, RDH encourages individuals to remain vigilant to the possibility of fraud or identity theft," said the hospital in the statement.

"RDH recommends that individuals regularly review their financial statements and credit reports. If individuals identify services they did not receive or accounts, charges, or withdrawals that they did not authorize, they should contact and report to the involved company or credit reporting agency immediately," RDH continued.

Security in the COVID-19 Era

This month we look at how the COVID-19 pandemic is fundamentally changing healthcare organizations' approaches to security, now and in the future.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.