UCSF pays $1.14 million to decrypt files after ransomware attack

The medical school was hit by an opportunistic malware attack on June 1, and the encrypted data was "important to some of the academic work we pursue as a university serving the public good," officials said.
By Mike Miliard
04:02 PM

UCSF on Friday announced that it had "made the difficult decision" to pay a $1.14 million ransom and unlock the important data that had been encrypted in a ransomware attack earlier this month.

On June 3, IT staff at UCSF School of Medicine detected a security incident that had occurred two days earlier, said school officials in a statement.

"We quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from the core UCSF network. Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work," officials noted.

Even as that attack was stopped, however, the perpetrators launched a malware program that encrypted some servers. UCSF officials note that IT and security staff have been working with an outside consultant and hope to restore access to the servers and shore up its defenses in general.

The school says it is continuing to investigate the incident, but say it believes that the malware was propagated "opportunistically, with no particular area being targeted." Likewise, they said, "we do not currently believe patient medical records were exposed."

But given that the data that was encrypted "is important to some of the academic work we pursue as a university serving the public good," UCSF officials say they decided to pay a portion of the ransom to gain access to the information.

Opportunistic cyberattacks have seen a steady increase since the onset of the COVID-19 pandemic, with bad actors attacking hospitals, research organizations and health agencies using a variety of coronavirus-themed phishing emails and brute force attacks.

As for the decision to pay the ransom, there is some debate, but most experts, along with the U.S. Department of Health and Human Services, the FBI, and other enforcement officials, say it's not a good idea.

But the appeal of rescuing ransomed data is understandable. Just this past week, Rangely District Hospital in Rio Blanco County, Colorado, revealed that it had been targeted with a ransomware attack that locked access to five years of patient records.

The hospital did not pay the ransom. But officials acknowledged that "some electronic records are unavailable or have not been recovered."

"This incident reflects the growing use of malware by cyber-criminals around the world seeking monetary gain, including several recent attacks on institutions of higher education," said UCSF officials in a statement. "We continue to cooperate with law enforcement, and we appreciate everyone’s understanding that we are limited in what we can share while we continue with our investigation."

Security in the COVID-19 Era

This month we look at how the COVID-19 pandemic is fundamentally changing healthcare organizations' approaches to security, now and in the future.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.