$70,000 Ransom Paid by Kentucky Community Health Center to Recover Encrypted Data

by

Park DuValle Community Health Center in Louisville, KY encountered a ransomware attack on June 7, 2019. The hackers successfully accessed its network and installed ransomware so that the center’s appointment scheduling platform and medical record system became inaccessible.

The non-profit health center offers healthcare services to low-income patients in the western Louisville area who have no insurance. For seven weeks, the health center employees recorded patient information using pen and paper and relied on patients’ record of last treatments and prescribed medicines. Patient data could not be accessed and consultations could not be booked. The clinic only entertained walk-in patients.

Around 20,000 records of present and past patients are stored in the medical record system. Those patients acquired treatment either at the medical center in Louisville, Taylorsville, Russell or Newburg.

This is not Park DuValle Community Health Center’s first ransomware attack this year. A similar attack transpired on April 2, 2019 disabling the center’s computer systems. In that instance, data was restored from backups and did not pay a ransom. Systems had to be built from the ground up and were offline for about three weeks.

The health center conferred with third-party IT experts and the FBI right after the most recent attack and decided to pay the ransom for the decryption keys. CEO Elizabeth Ann Hagan-Grigsby of Park DuValle told WDRB reporters that systems cannot be rebuilt and data cannot be recovered from backups after the newest attack.

Park DuValle paid the ransom in two installments – payments were made two weeks ago and last week. The last payment was 6 Bitcoin. The total ransom paid was roughly $70,000. It is expected that the health center systems will be fully restored by August 1, 2019.

The ransom paid comprise only a small portion of the total expenses associated with the ransomware attack, which is about $1 million.

Although the ransomware blocked file access, Hagan-Grigsby is convinced that data was not breached. The Department of Health and Human Services has been informed about the incident but there was no mention of data breach. There was no evidence that indicate the viewing of unencrypted patient data. The firewall logs do not show the exfiltration of data from its systems.

There were several healthcare ransomware attacks reported recently aside from the Park DuValle ransomware. Springhill Medical Center in Alabama, Dr. Carl Bilancione’s dental office in Maitland, Florida and Harbor Community Hospital in Washington also reported ransomware attacks.

Bayamón Medical Center in Puerto Rico also reported an attack, which impacted its affiliated Puerto Rico Women and Children’s Hospital. Over 520,000 patients were impacted.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]