news

California Hospital IT Systems Held Hostage by Ransomware Attack

Feb 17, 2016
  • FisherBroyles News
  • Health Care
  • Privacy & Data Security
  • White Collar Crime

[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”]

The Hollywood Presbyterian Medical Center in Los Angeles, California. MARIO ANZUONI / Reuters

The Hollywood Presbyterian Medical Center in Los Angeles, California. MARIO ANZUONI / Reuters

Today national news outlets are reporting a hacking assault on Hollywood Presbyterian Medical Center in California. According to authorities, the hospital was the victim of a cyber-attack on February 5 that locked the hospital out of its computer systems using ransomware to infect their network. The unknown hackers seized control of the hospital’s computer systems and would only give access back if a $17,000 ransom was paid in bitcoins.

The hospital opted to pay the ransom before notifying authorities. In a statement to the Los Angeles Times, hospital CEO Allen Stefanek said, “The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the encryption key. In the best interest of restoring normal operations, we did this.” Stefanek further stated that patient care was never compromised, nor were hospital records. The attack forced the hospital to return to handwritten record-keeping while the systems were unavailable.

Under federal law, potential PHI breaches involving more than 500 people are required to be reported to the Department of Health & Human Services – Office for Civil Rights (“OCR”). OCR is responsible for enforcing HIPAA Privacy and Security Rules (45 C.F.R Parts 160 164, Subparts A, C and E) and carries out this responsibility by investigating complaints. In this case, the hospital reported the hack to the Los Angeles Police Department and the FBI. As of now, the FBI has taken control of the hacking investigation however, because this hack potentially exposed electronic PHI, OCR is more than likely to respond to this incident.

Recent hacks to healthcare organizations have been highly sophisticated attacks on information technology systems to gain access to electronic PHI for social security numbers, dates of birth, addresses and phone numbers in order to steal patient identity for financial gain. The attack on Hollywood Presbyterian Medical Center is unusual in that it is perhaps the first reported ransomware attack on a hospital system. As evidenced by breaches reported in 2015, healthcare providers are proving to be both easy and data-rich targets for hackers. While some breaches were massive, such as those for BCBS, Anthem, and Premera, smaller organizations such as physician groups, pharmacies, and labs are equally at risk for a ransomware attack or a hack for electronic PHI. Outdated technology, insecure network-enabled devices, complex data systems with multiple points of entry, and an overall lack of information security procedures and processes are making health systems particularly vulnerable to cyber-attacks.

The assault on Hollywood Presbyterian serves as yet another glaring example of the need for constant vigilance of corporate IT systems, particularly in those sectors that maintain data subject to HIPAA and HITECH. Given the potential legal liability for non-compliance, and the increased focus on enforcement seen in the last several years, companies must count data security as among their highest priorities. All healthcare providers should take action to address their HIPAA protocols, perform audits to test for breach vulnerability, and update their response plans to include your organization’s response to a ransomware attack.

FisherBroyles attorneys have experience handling breaches, from discovery through mitigation and reporting, to ensure compliance with federal and state laws and regulations. For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys:

Brian E. Dickerson
[email protected]
202.570.0248

Nicole Hughes Waid
[email protected]
202.906.9572[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

About FisherBroyles, LLP

Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners practicing in 24 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at www.fisherbroyles.com to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

© 2024 FisherBroyles, LLP