Grays Harbor Community Hospital in Aberdeen, Wash., is recovering from a ransomware attack that encrypted files across its network, including electronic health records, earlier this summer. An estimated 85,000 people's data were affected.
The hospital and one of its subsidiaries have begun mailing notification letters to people who had data compromised in the attack, Grays Harbor Community Hospital said in a statement posted online Wednesday.
Grays Harbor Community Hospital and its subsidiary Harbor Medical Group on June 15 discovered databases containing patient health records had been hit by ransomware, a type of malicious software that encrypts a victim's computer files. Hackers typically offer to decrypt these files in exchange for a ransom payment.
Hackers demanded the ransom in bitcoin, a cryptocurrency, according to Aberdeen daily newspaper The Daily World, which first reported the incident. Grays Harbor Community Hospital CEO Tom Jensen told the newspaper that when converted to U.S. dollars, the hackers' demand likely totaled more than $1 million.
Upon learning of ransomware on the network, Grays Harbor Community Hospital and Harbor Medical Group launched an investigation and notified the FBI.
The FBI advised Grays Harbor Community Hospital and Harbor Medical Group not to pay the ransom demand, according to the organizations.
That's consistent with best practices promoted by cybersecurity experts, who argue that complying with ransom demands gives cybercriminals an incentive. In some cases, hackers have refused to provide an organization with a decryption key, even after receiving a ransom payment.
Not all organizations have followed that advice.
Earlier this year, physician owners at Spokane, Wash.-based Columbia Surgical Specialists paid hackers more than $14,000 in response to a ransomware attack, after determining that they needed access to the encrypted data to provide care to their patients.
Grays Harbor Community Hospital and Harbor Medical Group said they have continued to care for patients throughout the incident and were able to recover some patient data using backup procedures. "At no time was patient care compromised," the organizations said in the online statement.
Harbor Medical Group physicians are currently documenting on paper while the organization works on "rebuilding" its electronic health record, according to a hospital spokesperson. They are hoping to get the system back online in early September. Physicians at Grays Harbor Community Hospital, which uses a different EHR system, still have access to their EHR.
While Grays Harbor Community Hospital and Harbor Medical Group don't expect the potentially lost data to affect patient care, they are encouraging patients to "provide full and complete answers to questions asked by" providers at their next appointments, including information the provider might have previously had access to, they said in their online statement. For some patients, that includes coming to appointments with complete lists of their prescription medications.
Grays Harbor Community Hospital and Harbor Medical Group said they are working with third-party cybersecurity experts to upgrade their security systems and protocols, as well as to implement more robust backup procedures.
"As with many other organizations, we thought we were well prepared, and we were still victimized," Jensen said in a statement. "We are proud of the efforts of our providers and staff continuing the same level of excellent patient care during this setback."