CNN
—
Hackers accessed the personal data of nearly 270,000 patients in an attempted ransomware attack on a Louisiana health care system in October, a spokesperson for the system told CNN on Wednesday.
Lake Charles Memorial Health System, which includes a 314-bed hospital, thwarted hackers’ attempt to encrypt its computers and prevented any interruption in patient care, according to spokeswoman Allison Livingston. The health care provider’s own security team spotted the hack, Livingston said in an email.
The hack was released in recent days when the hospital network notifies patients whose data has been compromised. This includes patients’ health insurance information, medical record numbers, and, in “limited cases,” Social Security numbers, according to the health care system.
It’s the latest in a series of ransomware attacks that have continued to hit US healthcare providers, which often have poor cybersecurity capabilities, in the nearly three years of the Covid-19 pandemic.
On their shady site for extorting victims, a ransomware gang known as the Hive claimed responsibility for hacking the Lake Charles Memorial and dumping data that supposedly belonged to the healthcare system.
In November, the Hive ransomware was used to extort an estimated $100 million from more than 1,300 companies worldwide – many of them in the healthcare industry – the FBI and other federal agencies warned.
“Health care continues to be a hot spot for ransomware groups because even if a ransom is not paid, these attacks bring a lot of attention to the ransomware group, increasing its notoriety,” said Allan Liska, Senior Threat Intelligence at cybersecurity company Recorded Future. CNN.
Ransomware gangs like Hive increasingly steal data from victim organizations before locking down computers in an attempt to increase their influence in ransom negotiations. Some ransomware operators “exploited stolen data to directly contact patients and demand payment under the threat of releasing their patient records,” Liska said.
While Lake Charles Memorial said its business operations were not impeded by the hack, other major US and Canadian healthcare providers were disrupted this holiday season.
SickKids, one of Canada’s largest children’s hospitals, said it could take weeks to fully restore its computer systems after a recent ransomware attack. The gradual recovery means that “some patients and family members may still experience delays in diagnosis and/or treatment,” the hospital said in a statement.
Meanwhile, a network of three hospitals in Brooklyn, New York, had to work on paper charts for weeks after a cyberattack on its computer systems in late November, the hospital group’s chief executive told CNN.
Healthcare executives have become much more aware of hacking threats in recent years, and a cottage industry of cybersecurity experts and consultants has focused on improving the industry’s defenses.
But small hospitals in particular often lack the funding and strong staff to protect their computer networks, according to experts. Sometimes volunteers try to fill the void. In the early days of the pandemic, a group of cybersecurity experts worked the night shift to help defend healthcare providers against hackers.
Ransomware attacks can threaten patient safety. A ransomware attack on a hospital already under stress due to the Covid-19 pandemic and other crises could lead to “reduced capacity and worsened health outcomes,” according to a study by the Department of Homeland Security’s cybersecurity agency.