Cyber Attack at Community Health Systems Affects 4.5 Million Patients-Could This be a New Trend?

Patricia's Photos 013By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar  in Health Law

On August 18, 2014, Community Health Systems, a Tennessee-based hospital chain that has 206 hospitals in 29 states, announced that its computer system was hacked. According to a number of news reports, an outside group of hackers, originating in China, used highly sophisticated malware and technology to steal 4.5 million patients’ non-medical data. The hackers were able to obtain patients’ names, Social Security numbers, addresses, birth dates, and telephone numbers.

According to the Orlando Sentinel, in Florida, St. Cloud Surgical Associates, St. Cloud Medical Group, and Urology Associates of St. Cloud were among the practices where medical data was stolen. The article did not mention how many patients in Florida were affected. Click here to read the story from the Orlando Sentinel.

How Community Health Systems will Handle Being Hacked.

According to The New York Times, Community Health Systems believes the attacks happened from April to June 2014. The company will be notifying affected patients and agencies under the Health Insurance Portability and Accountability Act (HIPAA).

The hospital system is now working with a security company to investigate the incident and help prevent future attacks. Federal law enforcement agents are also investigating the incident. Click here to read the entire article from The New York Times.

Because this breach affected more than 500 individuals, it will soon be posted on the Office for Civil Rights (OCR) Department of Health and Human Services’ (HHS) Wall of Shame. The law requires that any breach involving 500 or more individuals be publicly posted. To learn more on the Wall of Shame, click here for my previous blog.

Protect Your Practice As Best You Can From Cyber Attacks.

Cyber hacking in the medical community appears to be a crime of opportunity. Quickly there are becoming two types of companies: those that have been hacked and those that will be hacked.

While there is no way to guarantee protection from extrusion and external sources, there are steps that can be taken. For medical practices, many of these are required as part of a HIPAA risk assessment. Some areas to focus on include:

–    Background checks;
–    Comprehensive policies and procedures;
–    Vigilance when it comes to monitoring and data-leakage prevention tools; and
–    Employee education.

Medical practices are going to become bigger targets as the health care industry transitions to electronic health records. In addition, the hacking community is figuring out it is easier to hack a hospital or private practice, than it is a bank and you get the same information. To learn more on HIPAA risk assessments, click here.

Comments?

How do you protect your medical practice from hackers? Do you have regular risk assessments? Why or why not? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Perlroth, Nicole. “Hack of Community Health Systems Affects 4.5 Million Patients.” The New York Times. (August 18, 2014). From: http://nyti.ms/1pFpujC

Kutscher, Beth. “Chinese Hackers Hit Community Health Systems; Other Vulnerable.” Modern Healthcare. (August 18, 2014). From: http://bit.ly/1BxsLqH

Jacobson, Susan. “St. Cloud Medical Patients’ Information Among Millions Stolen in Cyber Attack.” (August 18, 2014). From: http://www.orlandosentinel.com/business/os-hospital-data-breach-st-cloud-20140818,0,3157319.story

Rose, Rachel. “Protecting Your Medical Practices From Cyber Threats.” Physicians Practice. (July 17, 2014). From: http://www.physicianspractice.com/blog/protecting-your-medical-practice-cyberthreats

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Hackers Demand Multi-Million Dollar Ransom From Hollywood Hospital Following Cyber-Attack: Hospital Record System Out of Commission for Over a Week (Part 1 of 2)

THLF - Logo - GoodBy George F. Indest IV, Director of System Services, The Health Law Firm,

and
George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

(Part 1 of a 2 part blog)
For more than a week, the computer systems at Hollywood Presbyterian Medical Center have been offline following a cyber-attack. The hospital has, apparently, also been locked out of all access to patient electronic health records (EHR). The unknown hackers are demanding a $3.6 million ransom to release the data. The hackers are demanding payment in Bitcoins, which will be untraceable if paid.

“Ransomware” Used

The attack reportedly started on February 12, 2016, and hackers used “ransomware” to infect the hospital’s computer systems. Ransomware is a type of malware that restricts access to the infected computer system and demands that the user pay a ransom to the malware operators to remove the restriction. Often ransomware will threaten to completely delete all data if payment is not made by a certain date.

Those hackers that use ransomware are thieves and extortionists. They properly may be called “cyber-terrorists.” What they do is clearly serious criminal activity. However, they are able to remain anonymous by operating out of foreign countries where government authorities are not interested in pursuing them. They stay anonymous by operating through many levels of proxy servers around the world and using false Internet Protocol (IP) addresses. Although the sophisticated supercomputers used by our counter-intelligence agencies could probably rapidly locate the site of such attacks, until now, they have not been as serious as the one on the hospital. Even if they did, the cooperation of local law enforcement authorities might be questionable.

Ransomware and cyber-attacks are a growing menace, but when a hospital is targeted the consequences can be much more serious than the small businesses that are usually attacked.

Hackers Demand $3.6 Million in Bitcoins.

The ransomware affected the hospital’s information technology (IT) network and essentially shut down all of its systems. The hackers are holding the systems hostage until the ransom amount of $3.6 million is paid, which will then release the “electronic keys” which will supposedly unlock the stolen data on the computer system. The hackers demanded the ransom amount to be paid in Bitcoins, which is an electronic payment system that is not traceable.

Day-to-Day Hospital Operations Affected.

According to reports, the hospital’s staff has been redirecting emergency patients to other hospitals following the ransomware attack. The staff has resorted to using pen and paper to record patient information and sending telefaxes instead of e-mails to communicate with other departments. Patients are being required to come pick up medical records or go to outlying labs and diagnostic testing facilities to pick up paper copies of lab reports in person.

Some departments in the hospital have been affected as well because of this. Computers are crucial for medical equipment and because of the attack, the hospital’s Radiation and Oncology departments have been completely shut down. This has disrupted cancer treatments for patients.

Despite publicly confirming the attack on patient’s medical data and having declared an emergency, the hospital has not commented on the hacker’s ransom demand.

To read a prior blog we published on cyber-attacks on the health care industry, click here.

Part 2: Measures to Take to Prevent Similar Events

In Part 2 of this blog, which we will publish in the near future, we will discuss measures that hospitals and other healthcare institutions should take to prevent similar events from disrupting their operations.

Contact Experienced Health Law Attorneys.

The Health Law Firm routinely represents physicians, pharmacists, pharmacies, optometrists, nurses, health facilities, healthcare related businesses, and other health providers in investigations, regulatory matters, licensing issues, civil and administrative litigation, defense of HIPAA complaints and violations, regulatory matters, inspections and audits involving the Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI), Department of Health (DOH), matters involving the Centers for Medicare and Medicaid Services (CMS), the Food and Drug Administration (FDA), the Agency for Health Care Administration (AHCA), and other regulatory and law enforcement agencies. Its attorneys include those who are board certified by The Florida Bar in Health Law as well as licensed health professionals who are also attorneys.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

About the Authors: George F. Indest IV, is a computer systems scientist and is the Director of Systems Services at The Health Law Firm in Orlando, Florida. George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm. The Health Law Firm has a national practice. Visit our website at: www.TheHealthLawFirm.com . The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, FL 32714, Telephone: (407) 331-6620.

Sources:

Lee Dave. “Hollywood hospital held to ransom by hackers.” BBC News. (February 15, 2016). Web.

Cuthbertson, Anthony. “Hackers hold hospital to $3.4 million ransom.” Newsweek. (February 15, 2016). Web.

KeyWords: medical records data breach attorney, cyber-attack, cyber-security, securing patient data, ransomware, Hollywood Presbyterian Medical Center, data hackers, health care IT attorneys, how to protect patient information, health care defense attorney, lawyer for health facilities, healthcare provider legal counsel, data breach defense counsel, stolen patient data, patient privacy information, health law attorney, health law, medical records security, The Health Law Firm

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 2016 The Health Law Firm. All rights reserved.

By |2024-03-14T10:01:05-04:00May 15, 2018|Categories: Health Facilities Law Blog|Tags: , , , , , , , , |Comments Off on Hackers Demand Multi-Million Dollar Ransom From Hollywood Hospital Following Cyber-Attack: Hospital Record System Out of Commission for Over a Week (Part 1 of 2)
Go to Top