Physician owners at Columbia Surgical Specialists paid hackers more than $14,000 to regain access to patient data in January, according to a notice the medical practice posted Thursday.
Spokane, Wash.-based Columbia Surgical Specialists said it learned of the ransomware attack Jan. 9, a few hours before several patients were scheduled for surgery. Ransomware is a type of malicious software that encrypts a victim's computer files, which hackers offer to decrypt in exchange for a ransom payment.
The encrypted files and systems at Columbia Surgical Specialists included protected health information such as patient names and Social Security numbers.
"They made it clear we would not have access to patient information until we paid a fee," the notice said of the hackers. "We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data."
Columbia Surgical Specialists said the ransom was paid by the practice's physician owners and will not be passed on to patients.
Cybersecurity experts, including the Federal Bureau of Investigation, have traditionally discouraged organizations from paying ransoms, arguing that complying with these demands incentivizes cybercriminals. In some cases, hackers have refused to provide an organization with a decryption key, even after receiving a ransom payment.
Columbia Surgical Specialists reported up to 400,000 patients were affected in the incident to the HHS' Office for Civil Rights, which maintains the government's database of healthcare data breaches, Feb. 18. The practice said an external forensic review has since determined that the "actual number of potentially affected patients is substantially smaller."
The practice's IT security provider, Intrinium, said that although data on up to 400,000 patients was encrypted, it is unlikely the hackers obtained any protected health information. However, Columbia Surgical Specialists said it still plans to notify all patients whose data was encrypted in the ransomware attack.
"It is the company's belief based on available information that certain files were simply corrupted with unauthorized encryption measures to prevent the company's temporary use or access of that data," the practice's notice reads. "We believe the information was locked, but not obtained, by the perpetrators."
The ransomware attack at Columbia Surgical Specialists represents the second largest incident posted to the OCR's breach portal so far in 2019. UW Medicine in Seattle reported the largest breach yet this year on Feb. 20, disclosing a website vulnerability that affected the protected health information of an estimated 974,000 patients.