Federal and local law enforcement officials are investigating a healthcare data-for-ransom security breach at 18-bed Clay County Hospital in Flora, Ill.
The hospital received an e-mail ransom demand Nov. 2 containing patient names, addresses, Social Security numbers and dates of birth, but no clinical information, according to a release.
The sender threatened to make the patient information public unless “a substantial payment from the hospital” was made, the hospital statement said.
The hospital's computer servers had not been hacked, the statement said. Records of hospital patients who visited on or before February 2012 were compromised, it said.
Hospital spokeswoman Lisa MacKenzie said the records of 12,621 persons, all from Illinois, were affected. Where the breached records were stored, how far back in time they go and other details about the incident were withheld.
“We're in the middle of an active investigation,” MacKenzie said “We're working with federal agencies as well as local police,” she said.
Since September 2009, the records of more than 41.6 million individuals have been exposed in 1,186 breaches (involving 500 or more individuals' records) reported to the Office for Civil Rights at HHS and posted to its “wall of shame” website.
While theft is the type of breach most commonly cited (52%) on the OCR's list, reports of ransom demands accompanying the thefts are rare, perhaps in part because the office doesn't track them separately.
In 2012, an electronic crimes task force, part of the U.S. Department of Homeland Security, was called in to look for a hacker who encrypted the patient records of three Northern Illinois surgeons, then demanded payment for the decryption key.
It's hard to say if ransom attempts are increasing, said security expert Mac McMillan, CEO of CynergisTek, because of a lack of public reporting.
“It's seems like we've seen more this year,” McMillan said. “About a month ago I got a call from one of my CIOs who had a brother who worked for a firm that did billing for hospitals. They were hacked and all of their data was encrypted and held for ransom. We went back in and re-encrypted with special tools so they didn't have to pay the ransom. But it did affect their business.”
Attacks on healthcare computer systems by hackers—which account for about 7% of the breaches on the wall of shame—particularly those traced to foreign, professional hacking groups, have been in the news of late.
Filmmaker Sony Pictures Entertainment is currently reeling from a reportedly massive data security breach by hackers that involved federally protected health information, the company has announced (PDF).
Follow Joseph Conn on Twitter: @MHJConn