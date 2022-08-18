A “technology incident” that shut down Lamoille Health Partners’ computer systems for nearly a week and a half in June was the result of a ransomware attack against the health care organization.
According to CEO Stuart May, the in-house technology team and a cybersecurity company brought in to sift through Lamoille Health Partners’ computer servers has “pretty much wrapped up their investigations,” and the FBI, the U.S. Department of Health and Human Services and the Vermont Attorney General’s office are reviewing the attack.
Patients and anyone else in the Morrisville-based federally qualified health care center system were sent letters last week informing them of the incident.
“We determined that the criminals could have accessed documents that included some individuals’ personal information,” May wrote in the Aug. 10 letter.
That information, the letter states, could include a person’s Social Security number, health insurance and medical treatment information, and basics like name, address and date of birth.
In an interview last week, May said patients were notified “out of an abundance of caution,” and Lamoille Health Partners is offering all patients a free one-year membership to identity protection services through Experian.
“We have no reason to believe that any personal information has been misused,” May said, adding no actual ransom was paid out to the attackers.
Attack and fallout
May said the ransomware attack happened sometime between June 12 and the next morning, which is when Lamoille Health Partners’ tech team discovered that “an unknown, unauthorized third party” — he refers to the attackers as “criminals” — locked some files in one of the organization’s systems.
He said he could not say which part of the system was attacked, since it’s still an ongoing investigation at the federal and state levels.
Tech crews quickly shut down the system according to established protocols, and May credits their swift work with negating any chance of any additional attacks. All the organization’s offices shut down for a couple of days as the crews began restoring the systems from backups.
The shutdown also gave time for doctors, nurses and other employees to switch over to old-fashioned, paper-based processes while the computer systems were down for nearly a week and a half.
“Inside of two weeks, we had all of our systems up and operational,” May said last Thursday. “Up until today, it has continued without any interruption.”
May said he is not yet sure how the attack affected patient access, but he acknowledged a significant number of them had to reschedule appointments during the time when the offices were closed and the systems were down. This has caused ripple effects on the whole system, as doctors have prioritized getting patients rescheduled over making new appointments, and performing something akin to low-level triage, prioritizing urgency over routine.
“Obviously, some folks we were able to see during that down time, but there were probably more that we did not see,” May said. “If you’re asking me to make an educated guess if everyone who got canceled, have we seen them already? The answer would be no.”
Health care hit hard
According to a report by cybersecurity company Sophos, two-thirds of U.S. health care companies were hit by ransomware in 2021, up from 34 percent the year before. Sophos defines a hit as “one or more devices impacted by the attack but not necessarily encrypted.”
The report states that the health care sector has been impacted by cyberattacks more than any other sector.
The sector has consequently gotten much better at getting its data back after an attack. According to the report, 99 percent of health care organizations affected last year got some of their encrypted data back, up from 93 percent the year before.
“As ransomware has become more prevalent, organizations have gotten better at dealing with the aftermath of an attack,” the Sophos report states.
As the name suggests, people or organizations who deploy ransomware will often try to extort money in exchange for the return of compromised data. However, May said that didn’t happen in the June attack.
“We have not had to pay anything out,” May said.
The Sophos report notes that the percentage of health care organizations that were extorted decreased last year, from 7 percent to 4 percent of organizations. This is fortunate because victims rarely get all their data back.
Last year only 2 percent of health care organizations that paid their attackers got all their data back, according to the report, which states that organizations in that sector, on average, got back only 65 percent of their data back even after paying the ransom — a decrease from previous years.
Despite the drastic increase of ransomware aimed at health care providers, May is stubborn in the face of seeming inevitability.
“I hate when people say, particularly when it comes to cyberattacks, that it’s not a question of if, but when,” May said. “To me, that’s kind of throwing in the towel.”
