L.A. Hospital’s Data Was Held Hostage
Breaches of patient records have been an ongoing theme in recent years for both hospitals and insurers in California, as may have disclosed breaches often involving the data of hundreds of thousands patients and enrollees.
Even as patient privacy is being violated, the providers still have access to actionable patient data.
But what happens when an entire hospital's electronic medical records have been taken hostage?
That's been the case with Hollywood Presbyterian Medical Center in Los Angeles. The privately-owned, 434-bed hospital acknowledged on Wednesday that parts of its computer system were hacked on Feb. 5, apparently through a malware phishing virus sent through its email system and accidentally clicked on by an unsuspecting employee, sources said.
As a result, the hospital's computer system was frozen up, and a ransom was demanded in the cybercurrency bitcoin in order to decrypt and unlock the files. According to published reports, the ransom demanded was 9,000 bitcoins, which currently trades at about one bitcoin for $419 in U.S. currency. That's the equivalent of about $3.76 million.
Published reports have said that Hollywood Presbyterian staff had been using paper and faxes to keep tabs on patients, and some have been transferred to other facilities.
A statement issued by hospital Chief Executive Officer Allen Stefanek said a ransom was paid, but nowhere near the sum cited by media outlets.
“The reports of the hospital paying 9,000 Bitcoins...are false,” Stefanek declared in the statement. “The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000.
“The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Stefanek’s statement noted that the hospital’s computer systems were completely restored on Feb. 15.
Such ransomware attacks have been reported in increasing numbers in recent years against individual computer owners, who are normally asked to pay anywhere from one to several bitcoins to recover their data. There have been a few incidents of such attacks against small police departments and some medical practices, but not against a large urban hospital.
Hospital officials have not responded to repeated requests seeking comment, confining their response primarily to Stefanek's statement.
Sources have said both the Los Angeles Police Department and the Federal Bureau of Investigation are investigating the incident and try and trace its perpetrator.
Hollywood Presbyterian is owned by CHA Health Systems, a closely held company that owns eight acute care hospitals and other medical facilities in South Korea. Hollywood Presbyterian is the only hospital it owns in the United States.
It is unknown if the issue has impacted other CHA facilities, although sources have suggested that it is confined only to the Hollywood Presbyterian property.
The hack and ransom demand has prompted California's hospital community to examine the situation more closely.
“California's hospitals continuously review and update their policies, procedures and preparedness for all types of IT, privacy and cybersecurity vulnerabilities. We take these matters seriously,” Jan Emerson-Shea, spokesperson for the California Hospital Association, said in an e-mail. She declined to comment on the Hollywood Presbyterian issue directly.
“This has been a wakeup call for the entire industry because everybody is vulnerable,” said Jennifer Bayer, a spokesperson for the Hospital Association of Southern California. Bayer added that the hack and ransom demand has created heightened awareness for other hospital operators in the state.
