IT services company hit with ransomware, cutting off nursing homes' access to patient medical records

Editor's note: This story has been updated with a statement from Virtual Care Provider president Zachary Koch

A technology company that provides services to more than 100 nursing home companies and long-term post-acute care facilities was hit with a ransomware attack that crippled its servers and cut off access to patient medical records.

Hackers demanded a ransom of roughly $14 million in bitcoin.

The hack against Virtual Care Provider Inc. (VCPI) means some locations cannot access patient records, use the internet, pay employees or order medications. The Milwaukee-based company provides internet access, cloud hosting and security services to primarily senior living and long-term care facilities, including 110 nursing home organizations with some 80,000 computers across 45 states.

In a company memo (PDF) sent to clients Nov. 18, obtained by the Milwaukee Journal Sentinel, Virtual Care Provider executives said the business was attacked with Ryuk encryption ransomware spread by TrickBot virus. The company estimated 20% of its servers were affected by the virus.

Company executives said their monitoring systems quickly discovered the attack and spread of the malware and launched its incident response and management process. VCPI is now working with a third-party cybersecurity incident response firm.

"We are prioritizing servers that provide active directory access, email, eMAR, and EHR (electronic health record) applications," company officials said in the memo.

In an email to FierceHealthcare, VCPI president Zachary Koch said the company was recently targeted by a highly sophisticated ransomware incident that has impacted a subset of its servers.

"Upon learning of this incident, we immediately launched an internal investigation and retained independent cybersecurity experts to assist us in our investigation and remediation efforts. We take seriously our responsibility to protect the security and privacy of our customers’ data and are working diligently to restore these systems as quickly and safely as possible," Koch said.

The investigation remains ongoing, he said. "Our focus remains on working closely with our customers and outside experts to restore normal operations as quickly as possible, and to take additional steps to enhance the security of our systems," Koch said.

VCPI chief executive Karen Christianson told cybersecurity blogger Brian Krebs the ransomware attack affected virtually all of the company's core offerings, including Internet service and email, access to patient records, client billing, and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.

RELATED: Alabama health system forced to limit hospital services after ransomware attack

"Right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first," Christianson said. She told Krebs some affected facilities could be forced out of business, and patients' health is at risk if the data is not accessible, Christianson said. 

Christianson said her firm cannot afford to pay the ransom amount being demanded.

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she said. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

The impact on the 110 nursing home and senior care companies VCPI supports is based on how much data each gave Virtual Care. Some facilities use the company for tech support, while others rely on the firm to host their websites, email systems, phone lines, and patient records, the Milwaukee Journal Sentinel reported.

RELATED: Wyoming health system hit with ransomware attack, diverts ER patients and cancels services

Over the last two years companies of all sizes have been targeted by Ryuk and its variants, according to Eyal Aharoni, vice president of customer success at cybersecurity company Cymulate.

A hospital in France, University Hospital Centre in Rouen, announced it was hit by a ransomware attack that knocked its computer systems offline, forcing staff to resort to pen and paper. The 1,300-bed hospital revealed in a posting on Facebook on Nov. 19 that it was the victim of an attack and admitted to "very long delays in care."

Alabama-based DCH Health System also was hit with Ryuk ransomware back in October and paid the hackers for a decryption key to restore access to locked systems.

"For a malware that’s been around this long, attacks reaching epidemic levels and dominating media discourse, companies are falling short of excuses," Aharoni told FierceHealthcare via email.

The probability of hackers using Ryuk variants to leverage lateral movement capabilities is extremely high, Aharoni said, enabling them to exploit vulnerabilities such as EternalBlue (a software vulnerability in Windows) or BlueKeep (a vulnerability in Microsoft's Remote Desktop Protocol implementation).

"Victims of these attacks are due to their IT/security teams not updating systems with the latest patches or deploying their security configurations correctly, both of which should be implemented and strictly adhered to as part of security housekeeping and policy," he said.