Cass Regional Medical Center Reacts Promptly to Ransomware Attack

Cass Regional Medical Center in Harrisonville, MO encountered a ransomware attack on July 9, 2018. The ransomware attack impacted its communication network so employees cannot access its electronic medical record (EHR) system. Thankfully, the medical center already had incident response policies in place before the incident. This resulted in prompt action being taken in reply to the data security breach. The emergency response procedure was executed within 30 minutes of the discovery of the ransomware attack. The hospital personnel had a meeting to quickly plan their actions that would reduce the effect of the ransomware attack on patient care.

Generally, attackers don’t gain access to patient information during ransomware attacks. However Meditech, the EHR vendor, decided to shut down the EHR system as a safety measure. The EHR system remained offline as the investigation of the incident is ongoing and the ransomware is eliminated. Investigation showed no evidence that the attacker accessed patient data.

Medical services to patients continued, but emergency ambulances for stroke and trauma patients were sent to other healthcare centers. Since the EHR system is inaccessible, medical personnel used pen and paper to take down patient data. The IT team is restoring the records with the help of a foreign computer forensics company. About 50% of the records had been recovered on July 10. At this point it is not yet known what type of ransomware was used for the attack and if Cass Regional Medical Center paid the ransom demanded.

The EHR system remains down and will only be put online when the third-party forensics firm has verified whether patient information was accessed by the attacker. It is likely that full system restoration will be within 72 hours.

Cass Regional Medical Center had responded immediately to the ransomware attack and confined the damage as incident response protocols were developed particularly for ransomware attack. If there were no procedures set up, an incident like this could lead to the loss of valuable time in reacting to the attack, which could naturally affect patient care negatively.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at