Grays Harbor Community Hospital and Harbor Medical Group notifying 85,000 patients of ransomware incident; Not all EMR have been recovered

Back in July, this site noted a media report about a ransomware attack on Grays Harbor Community Hospital. At the time, and although the incident had first been reported in the media on June 19, the hospital was still not disclosing a lot of details. Yesterday, the hospital issued a formal notice about the breach, as below.  The Daily World, which has done a great job of staying on this story, reports that 85,000 patients would be receiving notification: 10,000 from Harbor Medical Group and the remainder from Grays Harbor Community Hospital. They also report that the attackers demanded ransom be paid in BTC that would be valued at more than $1 million at this point. The hospital did not pay.


Corporate news | Wednesday, August 14, 2019

Grays Harbor Community Hospital (GHCH) and Harbor Medical Group (HMG) are providing to patients notice of a recent ransomware attack that involved patient health information.

On June 15, 2019, GHCH and HMG discovered that databases containing electronic medical records were encrypted by a sophisticated software program (ransomware) designed to block access to a computer system until a sum of money is paid. Upon identifying the ransomware, GHCH and HMG launched an immediate investigation with the support of leading forensics and network consultants, and the investigation is ongoing. GHCH and HMG also notified the FBI of the incident. At no time was patient care compromised and throughout the incident GHCH and HMG continue to care for patients.

After taking the appropriate precautions to safeguard the network, GHCH and HMG used established backup procedures and have been able to recover much of the patient health care information; however, certain parts of the electronic medical record remain encrypted and inaccessible by GHCH and HMG. GHCH and HMG have no reasonable basis to believe that any personal information has been transmitted outside of GHCH’s or HMG’s databases.

The health information that was impacted by the ransomware may have included a patient’s full name, date of birth, social security number, phone number, home address, insurance, and medical record information, including diagnosis and treatment. GHCH and HMG have recovered much of the information that was encrypted but have been unable to recover fully all of the health information that was encrypted.

GHCH and HMG will continue to work diligently with security experts to recover the affected databases and re-establish access to the entire electronic medical record, however, this may not be possible.

Ransomware incidents of this nature are different from other data security incidents in that the data remains within the database. While GHCH and HMG do not believe that any of this personal information was transmitted outside of GHCH’s or HMG’s databases, out of an abundance of caution, GHCH and HMG are notifying patients via letter. GHCH and HMG have arranged for those affected to enroll in a credit monitoring service through Experian. This service is available to those affected at no cost.

GHCH and HMG will continue to take steps to mitigate this incident and to prevent this type of incident from happening again, including implementing more robust security and backup procedures. We also are providing training for staff members to ensure they understand how to avoid malware.

GHCH and HMG have established a dedicated call center for patients with questions at 1-833- 762-0219, Monday – Friday from 7:30 am – 5:00 pm Pacific Time.

GHCH and HMG take very seriously the responsibility to protect our patients’ personal information and deeply regrets any concern or inconvenience this incident may cause patients.

Ransomware Incident Notification/Frequently Asked Questions

Q: What happened?
A: On June 15, 2019 Grays Harbor Community Hospital (GHCH) and Harbor Medical Group (HMG) discovered that databases containing electronic medical records of GHCH’s and HMG’s patients were encrypted by a sophisticated software program (ransomware) that is designed to block access to a computer system until a sum of money is paid. This ransomware spread throughout GHCH’s and HMG’s network and encrypted files found on the network.

Q: When did the event occur?
A: In the early morning of June 15, 2019, our IT department staff members identified unresponsive servers. Upon investigation, they identified the ransomware virus that encrypted files across the network. Our IT department shut down servers in order to stop the spread of the virus and preserve data. Multiple third party IT cyber and network consultants were immediately called in to assist in efforts to recover the data that was encrypted by the virus. GHCH and HMG notified the FBI of this incident.

Q: What kind of information was exposed in this event?
A: We have no indication at this stage that any data has been exposed or accessed by unauthorized individuals. However, the affected data has been encrypted or “locked away” by the ransomware and has been rendered inaccessible by GHCH and HMG. The affected data includes information about GHCH’s and HMG’s patients found in the medical record, demographics, insurance information, medical history, treatment and billing information. Again, although this data has encrypted by the ransomware virus, we have no reason to believe at this time the that data has been extracted or accessed by unauthorized individuals.

Q: Why am I receiving this letter?
A: We notified you because our investigation determined that your personal information maintained by GHCH and/or HMG may have been encrypted by the ransomware virus. GHCH and HMG value the privacy and security of its patients’ personal information and want you to be fully informed about this incident. We are also sending you this notice in accordance with our legal requirements under state and federal laws.

Q: Why am I being notified now?
A: After GHCH and HMG discovered the incident, they immediately launched an investigation so they could understand the impact of the ransomware virus and provide patients with accurate information about the incident. Although the investigation is ongoing, GHCH and HMG believe they now have enough information to provide you with the notice.

Q: What is GHCH and HMG doing to prevent similar events from happening in the future?
A: GHCH and HMG are working with third-party cybersecurity experts to enhance GHCH’s and HMG’s network security systems and upgrade security protocols. In addition, GHCH and HMG are upgrading the network’s virus protection programs, the network’s real-time monitoring systems, and the network’s operating system. We also have reinforced education and training for our staff members on how to avoid email phishing schemes and take proper precautions for cybersecurity.

Q: What services are GHCH and HMG offering to me?
A: GHCH and HMG will be offering Experian Credit Monitoring to those whose information was affected by the ransomware. Affected patients will receive a letter with instructions about how to enroll and account information.

Q: Who is Kroll? I thought my information was being held by GHCH and HMG?
A: Kroll is a nationally-recognized cybersecurity company that has been hired by GHCH and HMG to assist you in obtaining credit monitoring services following the incident.

Q: Why do I have to provide you with my Social Security Number for credit monitoring?
A: Your Social Security Number is your unique identifier with the credit bureaus, and Kroll needs this information in order to assist you in obtaining credit monitoring services.

Q: What if I don’t want to enter my information on a computer?
A: Kroll offers an offline monitoring option through Experian. You will receive a letter in the mail if there is a change detected on your credit file, as opposed to an email. If you like, we can send you an offline authorization form to fill out and send back to Kroll, which will enable the offline services. The letter will be directly from Kroll and will include instructions on how to complete the form and a self-addressed return envelope will be included for you to send the completed form back to Kroll.

Q: I’ve never heard of GHCH or HMG, why do they have my information?
A: You are receiving this information because at some point in time you have utilized the services of GHCH, HMG, or its affiliated healthcare facilities.

Q: How do I know that the incident actually happened and that the notification letter is not fraudulent or a scam?
A: Federal and state laws require that we notify you by mail. We can assure you that this incident did occur and thus we are offering the support identified within the notification letter. We would encourage you to take advantage of the credit monitoring services provided and call us at the number noted within the letter if you have further questions or concerns.

Q: How can I speak to GHCH or HMG directly about what happened?
A: The call center can be reached at 1-833-762-0219 Monday-Friday from 7:30 am – 5:00 pm Pacific Time.

Q: Why hasn’t GHCH or HMG paid the ransom to get the affected information back?
A: The FBI advised GHCH and HMG not to pay the ransom demanded by the individuals who created the ransomware. One key issue is that paying the ransom will not guarantee that access to the information will be restored.

Q: Does GHCH or HMG know who was behind this?
A: GHCH and HMG do not know who is responsible for the incident, and it is a matter of ongoing investigation.

Q: Does/will this incident affect medical care?
A: At this time, we have no reason to believe that this incident has or will affect patient care. However, some of your medical records may be inaccessible as a result of this incident, so we encourage you to provide full and complete answers to questions asked by your provider at your next appointment at GHCH or HMG, including information related to your prescription medications and current symptoms.

About the author: Dissent

Leave a Reply

Your email address will not be published.Email address is required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.