Massachusetts Hospital Acknowledges Paying Ransom to Recover Patient Data

June 1, 2021
Federal authorities advise healthcare organizations not to give into hackers’ ransom demands

The Attleboro, Mass.-based Sturdy Memorial Hospital has acknowledged it paid hackers a ransom payment to stop patient data from being further distributed following a cyberattack.

In a privacy notice posted to the organization’s website, leaders from the 126-bed facility admitted that on Feb. 9, they identified a security incident that disrupted the operations of their IT systems. Even though they said they immediately took steps to secure the impacted systems, while also notifying law enforcement and launching an investigation with the assistance of a third-party forensic investigator, it was still determined that an unauthorized party gained access to some of the organization’s systems during the morning of Feb. 9. The systems were secured later that same day.

The notice further stated, “In exchange for a ransom payment, we obtained assurances that the information acquired would not be further distributed and that it had been destroyed.”

Then in late April, a review and analysis of the files involved in the incident determined that information belonging to Sturdy patients was contained in the files. The analysis also determined that information associated with patients of certain other healthcare providerswhich Sturdy previously partnered for the coordination of patient carewas also involved in the incident, including Harbor Medical Associates, South Shore Medical Center, and providers affiliated with South Shore Physician Hospital Organization, the organization explained.

The information involved may have included names and contact information, including address and phone numbers, dates of birth, and Social Security numbers. Other personal data such as financial account numbers, credit card numbers and security codes, could have been exposed. What’s more, protected health information could have been revealed, such as Medicare health insurance claim numbers, medical history information, treatment or diagnosis information, prescription information, provider names, medical record numbers, and/or treatment cost information. The organization’s electronic health record (EHR) system was not involved in the incident, officials said.

In late May, the hospital mailed notification letters to the individuals whose information may have been involved, recommending that they review the statements they receive from their healthcare providers and contact the relevant provider immediately if they see services they did not receive.

For eligible individuals whose Social Security numbers and/or driver’s license numbers may have been involved, Sturdy is offering complimentary credit monitoring and identity protection services through Experian at no charge.

For the most part, the FBI and other authorities advise victims not to pay ransoms to the hackers. “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” according to the Bureau in a recent bulletin.

Nonetheless, hackers see ransomware attacks as particularly worthwhile with the potential for large payouts. They “can be opportunistic without having any of the overhead bureaucracy of traditional crime,” Joey Johnson, chief information security officer (CISO) of the Brentwood, Tenn.-based Premise Health, told Healthcare Innovation in a recent interview. Said Johnson, if a criminal encrypts data and holds it ransom, “I have affected some kind of business process for you. Then if you are now motivated to fix that problem, [that means] from a criminal perspective, you don't need to go find a buyer for your compromised assets. You just created an immediate one-to-one relationship as soon as you broke in. This is why ransomware has been super powerful and why healthcare is ripe for it.”

One recent analysis from security company Comparitech revealed that throughout last year, 92 individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million patient records. The estimated cost of these attacks in total was nearly $21 billion. As part of that analysis, it was revealed that in 2020, the average ransom demand was $169,446, and in total, criminals demanded an estimated $15.6 million in ransoms. They ultimately received more than $2 million in ransom payments, not counting undisclosed amounts in several attacks.

Sponsored Recommendations

10 Reasons to Run Epic on Pure

Gain efficiency & add productivity to your Epic data center. Download now to learn more!

Payer Platform Services and Support

Let’s leverage Payer Platform for smooth, seamless operations.When tasks are important and need to be done right, you trust the experts. The same is true for your...

Pure Powers Progressive Payers

Increase your business agility with Pure’s digital payer platform.Legacy storage solutions cannot keep up with the ever-expanding initiatives in the payer market. To deploy...

Executive Handbook: Ten Transformative Trends 2024

The editors of Healthcare Innovation have published their annual Ten Transformative Trends ensemble of articles