In the wake of the recent ransomware attack at Hollywood Presbyterian Medical Center that crippled the hospital’s information systems for more than a week, California State Senator Bob Hertzberg has introduced legislation that makes ransomware attacks a crime equivalent to extortion.
According to a press release from Sen. Hertzberg’s office, the proposed bill, SB 1137, outlaws the practice of infecting any computer, system or network with ransomware and states that a person engaged in the activity could be convicted of a felony and be given a sentence of up to four years in prison.
“Nearly every day we read in the news about data breaches and online criminal activity,” Hertzberg said in a statement. “We must be clear that we will not tolerate this kind of conduct, and that using modern tactics to engage in age-old thuggery of ransom and extortion do not change the seriousness of the crime.”
As previously reported by Healthcare Informatics, Hollywood Presbyterian Medical Center announced last Thursday that it had paid the hackers 40 Bitcoins, or about $17,000, to regain control of its computer systems after a ransomware attack Feb. 5 affected the operation of the hospital’s enterprise-wide information system.
HPMC president and CEO Allen Stefanek said in a statement last week that hospital staff noticed issues accessing the hospital’s computer network on Feb. 5 and the hospital’s IT department began an immediate investigation and determined it had been subject to a malware attack.
“The malware locked access to certain computer systems and prevented us from sharing communications electronically. Law enforcement was immediately notified. Computer experts immediately began assisting us in determining the outside source of the issue and bringing our systems back online,” he stated.
Stefanek also said, “The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Stefanek also said the incident did not affect the delivery and quality of patient care. “Patient care has not been compromised in any way. Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access,” he said.
However, for more than a week, hospital staff could not pull up electronic patient medical records and were registering patients on paper and communicating via fax lines.