Hackers held patient data ransom, so Greenfield hospital system paid $50,000
Vic Ryckaert
A Greenfield hospital system last week paid a $50,000 ransom to hackers who hijacked patient data.
The SamSam ransomware attack accessed Hancock Health's computers through an outside vendor's account on Thursday. It quickly infected the system by locking out data and changing the names of more than 1,400 files to "I'm sorry."
The virus demanded four bitcoins in exchange for unlocking the data, which included patient medical records and company emails. The hospital paid the amount, about $50,000 at the time, early Saturday morning, said Rob Matt, senior vice president and chief strategy officer.
"It wasn't an easy decision," Matt said. "When you weigh the cost of delivering high-quality care ... versus not paying and bearing the consequences of a new system."
The data started unlocking soon after the money was transferred, Matt said.
Paying was a pure business decision.
"The amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients," Matt said.
The health system said patient data was not compromised. Life support and other critical hospital services were not affected, and patient safety was never at risk, Hancock Health said in a news release.
Ransomware is a growing digital extortion technique that affected tens of thousands of Americans in 2016, USA Today reported.
Criminals use various phishing methods through emails or bogus links to infect victims with malicious software.
► Official::Hancock Regional Hospital information system hacked, patient info not affected
► More:Fired IT employee offered to unlock data — for $200,000
► More: Purdue grad finds 'kill switch' in malware used in world-wide cyberattack
The virus infects the computer network by encrypting files or locking down the entire system. Victims log on and receive a message telling them the files have been hijacked and to get the files back they will have to pay.
"Generally, these attacks are aimed at large institutions that have lots of money, who typically don’t have a very good cyberdefense infrastructure," said Paul Talaga, an assistant professor at the University of Indianapolis' R.B. Annis School of Engineering.
Hospitals are a frequent target of these attacks. In May, the WannaCry ransomware virus affected more than 200,000 victims in 150 countries, including more than 20 percent of hospitals in the United Kingdom. That attack was later traced to North Korea.
Talaga said the Hancock Health case is unique in that the hospital actually paid the ransom. The hackers got exactly what they wanted.
"Of course, the people doing the ransom can kind of say whatever they want and set the bar really at whatever they want, he said. "They’re going to aim the price just low enough that they would decide to pay it."
Paying such ransoms further encourages hackers, he said.
"It’s disconcerting that the hospital decided to do that," he said, "because now the attackers are motivated to continue to attack."
Hancock Health said it worked with the FBI and hired an Indianapolis cybersecurity expert for advice on how to respond to the attack.
The systems were back Monday after paying the ransom.
“We were in a very precarious situation at the time of the attack," Hancock Health Chief Executive Officer Steve Long said in a statement.
"With the ice and snowstorm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible."
Hospital officials could have retrieved back-up files, but Long said they feared restoring the hijacked data would take too long.
"We made the deliberate decision,” Long said, "to pay the ransom to expedite our return to full operations."
IndyStar reporter Holly Hays contributed to this article. Call IndyStar reporter Vic Ryckaert at (317) 444-2701. Follow him on Twitter: @VicRyc.