Hancock Health in Indiana Pays $55K Ransom to Unlock Encrypted Files

Hancock Health in Indiana, Greenfield had a ransomware attack that forced hospital staff to use pen and paper to manually record patient health information. The hospital’s IT department tried to block the ransomware attack and access the encrypted files.

It was at 9:30 pm that the ransomware attack started encrypting hospital files. The ransomware made the network run slowly and ransom notes appeared on the screen to indicate file encryption. The IT team immediately shut down the network to stop the damage of the attack. A third-party incident response company came to help mitigate the attack.

A ransomware attack could disrupt patient services. But Hancock Health was able to maintain patient services. Patient appointments and scheduled operations continued as usual. The investigators of the incident found no evidence that suggest patient information was stolen. It seemed that the purpose of the attack was just to disrupt the network and encrypt files, so that the hacker can force the hospital to pay ransom for the unlocked files.

The Greenfield Reporter released a report on the variant of ransomware. It is called SamSam and has been used for attacking many healthcare organizations in the United States for the last year. The attacker, who is still unknown, demanded a ransom of 4 Bitcoin in exchange for the keys to unlock the encryption.

Hancock Health followed the requirement of HIPAA to perform backups. In this case of a ransomware attack, Hancock Health is able to recover the files from backups but it would take a long time. The hospital will not be able to access patient files and information for a few days or weeks. So, the hospital just decided to pay the ransom of $55k. It was not an easy decision, but the hospital deemed it the best option to avoid disruption. The hospital got the keys to unlock the encryption within two hours of paying the ransom. Everything was back to normal the following day.

Usually, ransomware attacks happen because an employee responded to phishing emails or visited malicious websites.  But the attack on Hancock Health was sophisticated. It was not because an employee responded to a phishing email.

To avoid future ransomware attacks or limit its severity, Hancock Health installed a new software that can detect suspicious activities that precede a ransomware attack. The investigation of law enforcement is still ongoing to reach a full understanding of the incident.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA