All of records erased, doctor's office closes after ransomware attack

A computer virus recently injected itself into the electronic medical record system of Brookside ENT & Hearing Services and ruined the business.

The two-doctor medical practice in Michigan has apparently become the first health care provider in the nation to shut its doors for good because of a ransomware attack, according to half a dozen cybersecurity experts contacted in the past week. Hackers are targeting Minnesota hospitals and clinics at an escalating pace, including four breaches involving patient files already reported in 2019, though any interruptions of work have been temporary.

Ransomware, which encrypts sensitive information and then demands a small financial payment to unlock the files, has become the most common form of malicious software affecting businesses, typically arriving via e-mail, Verizon's 2018 data-breach report says.

Brian Stevenson, president of Roseville cyber security firm FocusPoint Technologies, said about one-third of ransomware victims who pay the ransoms end up getting their data back. Yet, "people are paying the ransoms behind closed doors quite often, because the cost of not being operational for days is worse than the cost of paying," he said.

At Brookside ENT in Battle Creek, Mich., the ransomware virus started by deleting and overwriting every medical record, bill and appointment, including the backups. The virus left behind a duplicate of the deleted files, which could be unlocked with a password that the attacker promised to provide for $6,500 in U.S. currency wired to an account, doctors at the clinic said.

The practice's two ENT surgeons — Dr. William Scalf, 64, and Michigan state senator Dr. John Bizon, 66 — refused to pay the attacker's ransom. Scalf said in an interview that there was no guarantee the password would work, or that the malware wouldn't crop up again.

Scalf said an "IT guy" advising them on the attack determined that the attacker did not view the medical records, so the infection wasn't formally reported as a breach under the federal HIPAA law. But lacking any medical and billing records, the doctors closed the business on April 1 and retired about a year before they planned to.

But there was no way to communicate that to patients. "We didn't even know who had an appointment in order to cancel them," Scalf said. "So what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks."

Local resident Ann Ouellette, whose teen daughter's records were lost in the attack, told west Michigan CBS affiliate WWMT that her daughter came down with a sinus infection a month after getting surgery and now needs to find a new provider for her follow-up care. Past hearing-test results were lost in the attack, too.

Six cybersecurity researchers and consultants contacted by the Star Tribune said this appears to be the first time this type of scenario has played out in the U.S.

"This is the first time I've heard of a practice shutting down because of ransomware," cybersecurity researcher Billy Rios said via e-mail. Rios, founder of security firm WhiteScope and a well-known critic of lax security in health care products, said some of the medical data might still be recoverable, but it's impossible to tell without access to the infected system.

Beau Woods, a leader with the I Am the Cavalry cybersecurity initiative, said in an e-mail that the majority of small businesses are underprepared for ransomware threats, including many health care delivery organizations. Unlike larger organizations, many smaller providers have no full-time IT employee, let alone a cybersecurity specialist.

"Without better security capabilities and awareness, we can expect to see more frequent, more impactful ransomware incidents impacting health care," Woods wrote.

The digital barrage of attacks against small business IT systems is not limited to health care. But doctors and hospitals hold information of unique value — your personal medical records.

Already in 2019, four health care providers in Minnesota have reported breaches of patients' personal health information to the U.S. Health and Human Services Department, including a malware attack at a Woodbury reproductive medicine clinic affecting 40,000 patients — the second-largest health records exposure in Minnesota since reporting began in 2010, federal records show.

Other patient-data breaches reported in the state in the first quarter of 2019 included hacking and e-mail phishing at a behavioral health clinic in the Duluth area (1,200 records), a Catholic-run hospital in Baudette (885 records), and a community hospital district in Blue Earth (2,143 records), federal records show.

Those totals put Minnesota on track to exceed the 10 health data breaches recorded in 2018. The largest breach last year affected 20,800 records following an e-mail hacking incident at the Minnesota Department of Human Services.

The largest reported health care data breach in Minnesota ever was the theft of a laptop owned by medical suppliers Empi and DJO LLC, containing 160,000 medical records, reported in August 2015. Minnesota's most infamous health care data breach — the 2011 theft a laptop from billing consultant Accretive — involved the unencrypted medical records of 14,623 Fairview Health Services patients.

For all of the reported incidents, security researchers say there are many other cases in which providers are quietly paying the ransoms to unlock their files without any public notification.

"The reality is that many victims are paying ransom and successfully recovering as a result. Ransomware is a proven successful business model for attackers, complete with customer service to facilitate payments," said Justine Bone, CEO of the med-tech cybersecurity research firm MedSec, via e-mail.

Todd Carpenter, chief engineer at Minneapolis cyber security firm Adventium Labs, said he applauded the owners of Brookside ENT for refusing to pay the $6,500 ransom.

"Much better than paying the ransom, pretending it didn't happen, muddling through — which some hospitals and clinics have done," Carpenter said.

The attack on Brookside ENT was reported to the FBI, Scalf said. Scalf wasn't optimistic that the investigation would result in charges, but Carpenter said ransomware attacks should be reported to the FBI immediately. The next step would be to get a reputable "data forensics" specialist to review the files, Carpenter said.

The fact that Brookside ENT's backup files were corrupted underscores the importance of keeping additional data backups that are kept offline, away from attacks that can spread over a network.

The Healthcare Sector Coordinating Council published a detailed guidebook last year listing ways to improve what it called "cyber hygiene" in health care settings, including detailed guidance for making e-mail more secure, protecting networks with antivirus protections, limiting network access and actively looking for vulnerabilities that can be addressed.

Or as Bone put it: "Consumers and businesses both large and small need to either make a security investment up front, or manage risk by stashing that ransom for a rainy day. What will get even more interesting is when cyber risk insurers respond to these situations by recommending or making payments on behalf of their clients. It would not surprise me if this were already happening, unfortunately."

Joe Carlson • 612-673-4779