Valley Health System recovering from ransomware attack while maintaining patient care

Valley Health Systems (VHS) has joined the unfortunate ranks of health systems that have fallen prey to a ransomware attack.

VHS provides primary and preventative care to approximately 75,000 patients each year in southern West Virginia, southeastern Ohio and eastern Kentucky, operating more than 40 healthcare facilities. Their 2019 annual report noted that their sliding fee program had nearly doubled from FY 2018 to FY 2019.   As the report noted, the number of patients receiving discounts had not increased during 2019, but the amount of services VHS provided to the uninsured and under-insured did increase. The largest category of sliding fee patients is “Slide A,” meaning the individual or family is at 100 percent of the federal poverty level guidelines and receives the most heavily discounted or free services.

So VHS was providing more services to patients without the insurance or financial means to otherwise obtain medical care and other services VHS offers. And when the pandemic hit, VHS responded to the challenge to care for the community while protecting the safety of its staff.

None of its good deeds apparently make a bit of difference to criminals who only care about money.

When contacted by, VHS confirmed that a ransomware attack had disrupted access to some VHS computer systems. In a statement provided to this site, they explain:

Upon discovery of the incident early on August 22, we immediately implemented emergency procedures to continue providing safe patient- and family-centered care. Valley Health teams quickly initiated a comprehensive response that included engaging independent IT and forensic experts who are working around the clock to help us investigate and resolve this incident. While some of our systems are still affected, medical staff at Valley Health are still able to provide services and safe care to our patients.

Although the VHS statement does not indicate the type of ransomware or the amount of ransom demanded, the Sodinokibi (“REvil”) threat actors had identified VHS on their leak site, writing,

Hello, we have downloaded your private data, info about clients and employees and we are ready to publish it in our blog if you didn’t contact us.

next part will be with confidential information.

Actually, they already dumped some confidential information. REvil provided some screenshots and files as proof of access.  One screenshot showed a Reports directory consisting of a list of folders where each folder name was a patient’s name.  Another screenshot showed a patient record involving prescription opioid management.

The majority of files in the sample download section were .dcm (image) files, but many of the image files also contained text. There were also two patient folders with unencrypted patient information included.

VHS addressed the data release in their statement to this site:

Unfortunately, the threat actor has released some of our information. We are doing everything we can to understand what information is at risk and to protect patient information. We are committed to completing a full forensic review following the resolution of this outage, and we will take all appropriate action, which may include notifying affected patients, in response to our findings. We have also taken steps to notify the FBI and intend to fully cooperate with any investigation into this incident.

VHS’s statement continued:

Our providers and staff remain focused on meeting the healthcare needs of our community. Rest assured, we are maintaining our high standards of care. We sincerely apologize for the frustration and inconvenience this has caused, especially to our patients and dedicated staff. Valley Health appreciates the understanding of our community and are especially grateful for the hard work of our staff to get us through this situation.

Although some ransomware groups have publicly pledged that they do not attack medical providers,  the Sodinokibi threat actors have never made any such pledge.

About the author: Dissent

Comments are closed.