Ransomware attack freezes health records access at 110 nursing homes
Happy Thanksgiving: your elder loved one’s life may be at risk.
About 110 nursing homes and acute-care facilities have been crippled by a ransomware attack on their IT provider, Virtual Care Provider Inc. (VCPI), which is based in the US state of Wisconsin and which serves up data hosting, security and access management to nursing homes across the country.
The attack was still ongoing on Monday, when cybersecurity writer Brian Krebs first reported the assault.
Krebs says it involves a ransomware strain called Ryuk, known for being used by a hacking group that calculates how much ransom victimized organizations can pay based on their size and perceived value.
Whoever it was who launched the attack, they got it wrong in this case. VCPI chief executive and owner Karen Christianson told Krebs that her company can’t afford to pay the roughly $14 million Bitcoin ransom that the attackers are demanding. Employees have been asking when they’ll get paid, but the top priority is to wrestle back access to electronic medical records.
The attack affected virtually all of the firm’s core offerings: internet service, email, access to patient records, client billing and phone systems, and even the internal payroll operations that VCPI uses to pay its workforce of nearly 150. Regaining access to electronic health records (EHR) is the top priority because without that access, the lives of the seniors and others who reside in critical-care facilities are at stake.
This is dire, Christianson said:
We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time. In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.
As Krebs notes, recent research suggests that death rates from heart attacks spike in the months and years following data breaches or ransomware attacks at healthcare facilities. A report from Vanderbilt University Owen Graduate School of Management posits that it’s not the attacks themselves that lead to the death rate rise, but rather the corrective actions taken by the victimized facilities, which might include penalties, new IT systems, staff training, and revision of policies and procedures.