Hospital hit by ransomware: Attackers demand Bitcoin to release control of system


GREENFIELD — Hancock Health fell victim to a cyber attack Thursday, with a hacker demanding Bitcoin to relinquish control of part of the hospital’s computer system.

Employees knew something was wrong Thursday night, when the network began running more slowly than normal, senior vice president/chief strategy and innovation officer Rob Matt said.

A short time later, a message flashed on a hospital computer screen, stating parts of the system would be held hostage until a ransom is paid. The hacker asked for Bitcoin — a virtual currency used to make anonymous transactions that is nearly impossible to trace.

The hospital’s IT team opted to immediately shut down the network to isolate the problem. The attack affected Hancock Health’s entire health network, including its physician offices and wellness centers.

Friday afternoon, Hancock Health CEO Steve Long confirmed the network was targeted by a ransomware attack from an unnamed hacker who “attempted to shut down (Hancock Health’s) operations.”

Hospital leaders don’t believe any personal medical information has been compromised, Long said.

Long declined to disclose details of the attack, including how much ransom has been requested. The attack amounts to a “digital padlock,” restricting personnel access to parts of the health network’s computer systems, he said.

The attack was not the result of an employee opening a malware-infected email, a common tactic used to hack computer systems, he said.

The attack was sophisticated, he said, adding FBI officials are familiar with this method of security breach.

“This was not a 15-year-old kid sitting in his mother’s basement,” Long said.

Protecting patients

Notices posted Friday at entrances to Hancock Regional Hospital alerted visitors to a “system-wide outage” and asked any hospital employee or office using a HRH network to ensure all computers were turned off.

Doctors and nurses have reverted to using pen and paper for now to keep patients’ medical charts updated. Long said he wasn’t aware of any appointments or procedures that were canceled directly related to the incident, adding Friday’s snowy weather contributed to many cancellations.

Most patients likely didn’t notice there was a problem, nor did the attack significantly impact patient care, Long said.

Hospital staff members worked with the FBI and a national IT security company overnight and throughout the day Friday to resolve the issue. Long said law enforcement has been acting in an “advisory capacity,” and declined to release details about the plan going forward, including whether the hospital is considering paying the ransom.

Long commended his staff, especially IT workers, who quickly identified the problem Thursday evening.

“If I was going through this with anybody, this is the team I would want to go through this with because I know what the outcome is going to be,” he said.

Leaders updated hospital employees, totaling about 1,200 people, throughout the day Friday and took steps to be accommodate both patients and staff, including offering free food in the hospital cafeteria all day, Long said.

Long said if there is any suggestion private patient information has been compromised, hospital officials will reach out to those affected, though he doesn’t expect that to become an issue.

“We anticipate questions,” he said. “This is not a small deal.”

A growing problem

Ransomware attacks like the one at Hancock Health are growing more common, according to experts in the field of information technology and cybersecurity.

Some 4,000 ransomware attacks have occurred everyday since 2016, according to a report by the federal Department of Justice — a 300 percent increase from the roughly 1,000 attacks per day in 2015.

Hackers often use phishing techniques — posing as a legitimate company or source the user recognizes — to break into a person’s or company’s computer and take it over, said Von Welch, the director of Indiana University’s Center for Applied Cybersecurity Research in Bloomington.

Rather than stealing private information stored on the computer and using or selling it, hackers who engage in ransomware turn the tables on their victims and refuse to give back control of the device unless someone pays up, Welch said.

It’s “particularly nasty” when hospitals fall victim to a ransomware attack because it can completely cripple the medical facility’s ability to help people, Welch said. Depending on what’s been compromised, hospitals can’t check patients in or gain access to certain essential equipment, he said.

Long said the hospital’s equipment continued to function normally Friday, though he’s troubled someone would target people in need of medical care, when many are at their most vulnerable.

“That somebody would do this to a hospital really boggles the mind,” Long said.

Hacker attacks in Indiana and elsewhere

At least one other Indiana hospital and government unit have fallen victim to similar attacks in recent years.

In November 2016, hackers in Anderson executed a similar cyber-attack on Madison County government servers. Criminals uploaded a computer virus to county officials’ network that restricted officials’ access to confidential files. The hackers then withheld the encryption code – which would allow county officials to retrieve the locked data – for a $200,000 ransom.

Madison County’s insurance carrier recommended officials pay the demands, which they did, regaining access to their system.

Six months earlier, hackers targeted a healthcare facility in Auburn, Indiana, where Dekalb Health’s administrative servers were infected with ransomware.

The threat caused only a minor disruption; the ransom was never paid, and most servers were brought back online shortly after the malware attack, hospital officials said in a news release issued at the time.

Hancock Health had policies in place for such an attack, knowing digital thieves are always on the lookout for a target, Long said.

“Unfortunately,” he said, “we were probably next on the list.”

[sc:pullout-title pullout-title=”WHAT IS RANSOMWARE?” ][sc:pullout-text-begin]

Ransomware is a type of malware — a malicious computer program — that locks a computer user’s system, according to the Indiana Information Sharing and Analysis Center, an entity developed by the state to mitigate cybersecurity risks among state and educational entities.

The ransomware typically displays a message aimed at getting the user to pay a ransom through certain online payment methods in order to regain access to the system, according to the state of Indiana Cybersecurity website.

Hancock Health officials have not disclosed details about how the ransom demand was made or its amount.

Experts said prevention is key, as some attacks are launched by enticing a user to download an infected file that masquerades as a legitimate source — like an email attachment appearing to come from someone the user knows.

Avoid clicking on pop-up ads or links in emails from unknown senders, or those that seem out of character from the supposed senders, the website warns.

Hoosiers who do fall victim to ransomware should report the scam to the Indiana State Police, who may connect them with cyber forensic experts. To report a ransomware attack, visit