In the fall of 2021, Johnson Memorial Health staff hope they can finally catch their breath. They just came off a week-long surge in covid-19 hospitalizations and deaths fueled by the Delta variant.
But at 3am, Friday, October 1st, the hospital CEO’s phone received an emergency call.
“My director of nursing said, ‘Well, it looks like we’ve been hacked,'” said David Dunkle, CEO of the Franklin, Indiana, Health System.
The information technology team at the Johnson Memorial has discovered that a ransomware group has infiltrated the health system’s network. Hackers left ransom notes on each server, demanding that the hospital pay $3 million in bitcoin within days.
The ransom note was signed by “Hive,” a prominent ransomware group that targeted more than 1,500 hospitals, school districts, and financial firms in more than 80 countries, according to the Department of Justice.
The Johnson Memorial is just one of the victims of a wave of cyberattacks targeting US hospitals. A study found that cyberattacks on state healthcare facilities more than doubled from 2016 to 2021, from 43 attacks to 91.
After a breach, the focus is often on the risk of confidential patient information being exposed, but these attacks could also cost hospitals millions of dollars in the months to come , and can also cause interruptions in patient care, potentially life-threatening.
Following its own attack, the Johnson Memorial staff suddenly had to revert to low-tech patient care. They rely on pen and paper for medical records and notes and send runners between departments to take orders and deliver test results.
Hours after the 3am call, Dunkel was on the phone with cybersecurity
The most pressing issue on his mind: his hospital Should a $3 million ransom be paid to minimize disruption to its operations and patient care?
Dunkel fears the U.S. Treasury Department’s Office of Foreign Assets Control could fine the hospital if it pays a ransom to an unknown entity on the sanctions list.
Dunkel also fears possible lawsuits as hackers claim they have stolen sensitive patient information, which they will post to the “dark web” if Johnson Memorial Hospital doesn’t pay. Other health data breaches have led to class action lawsuits by patients.
The Office for Civil Rights within the Department of Health and Human Services can also impose financial penalties on hospitals if patient data is protected by: federal privacy laws being breached.
“It was information overload,” Dunkel recalls. All the while, his hospital was filled with patients needing care and staff who didn’t know what to do.