Report: MedStar Health Hack Confirmed to be Ransomware Attack

The attack of the clinical information systems of the 10-hospital, Columbia, Md.-based MedStar Health integrated health system on March 28 included a digital ransom note, according to a new report from The Baltimore Sun.

The hack, broken first by The Washington Post, forced the health system’s leaders to shut down their electronic health record (EHR) and e-mail system, marking a new watershed moment in the recent history of hacking-based EHR and clinical information system shutdowns in U.S. hospitals, as reported by Healthcare Informatics on March 28. MedStar operates 10 hospitals and more than 250 outpatient facilities in the Washington region, serving hundreds of thousands of patients while employing more than 30,000 people.

In the days following the attack, MedStar Health issued a statement that “the three main clinical information systems supporting patient care are moving to full restoration.” MedStar Health also reported on March 30 “enhanced functionality continues to be added to other systems.” At the time of the health system’s statement on Wednesday, there had been no comment from MedStar Health officials about whether the malware is in fact ransomware.

But now, The Baltimore Sun is reporting that the hackers who locked up data on MedStar's computers are indeed demanding ransom to begin unlocking it. What’s more, they're offering a bulk discount to release all of it, according to a copy of the demands obtained by The Baltimore Sun. The hackers, who have encrypted the data so MedStar users cannot retrieve it, are seeking payment in bitcoins, according to the Sun’s report.

The specifics of the deal proposed by the hackers is this: Send 3 bitcoins—$1,250 at current exchange rates—for the digital key to unlock a single infected computer, or 45 bitcoins— about $18,500—for keys to all of them, report said. It's unclear whether 45 bitcoins would unlock all data throughout MedStar, or whether each of several sections of the network would require a separate 45-bitcoin payment, according to the report, which added that the ransom note appeared when users in the MedStar system tried to open files on their computers.

A Baltimore doctor interviewed in the report, speaking on the condition of anonymity because he was not authorized to discuss the attack publicly, said it had hit every computer on the network. As such, a Fox News report on March 31 confirmed that the healthcare provider is still experiencing widespread computer outages. Many doctors and nurses throughout MedStar are still unable to enter patient data and other medical information into the network’s computer systems, according to Fox News.

Indeed, the healthcare industry is getting far too used to the term “ransomware.” Just in recent months, Los Angeles-based Hollywood Presbyterian Medical Center paid hackers $17 million to restore its clinical information systems. Last week, Methodist Hospital, based in Henderson, Kentucky, also was subject to a ransomware attack, though in that case, NBC 14 News reported that no ransom was paid by the hospital.

To this end, in a recent interview with Healthcare Informatics, Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, a well-known figure in healthcare IT, and a widely respected healthcare IT security expert, said that he doesn’t visit a hospital now that doesn’t say to him that they have had two or three ransomware attacks or incidents. “I think that the threat is going to continue to increase in the next few years in a big way,” McMillan said, adding that part of the solution would be to have a monitoring service monitoring your systems 24/7—a security operations center, or “SOC.”