A ransomware attack hitting computer several systems at Brooklyn Hospital Center in New York City exposed patient data and caused permanent loss of some patients' information.
In a notice posted on its website Monday, the hospital said in July it became aware of unusual activity on some hospital servers. After investigating the incident along with a third-party forensic investigation firm, the hospital discovered that malware had encrypted some of the hospital's patient files and disrupted the operation of certain hospital systems.
Despite remediation efforts to recover all the data infected with malware, the hospital determined in September that certain patient data were unrecoverable. There is no evidence data were accessed or acquired or of any attempted misuse of the data, the hospital said.
Recovery efforts are ongoing, but the hospital is taking steps to notify those individuals whose records may no longer be available. The information that can't be recovered could include patient names and certain dental or cardiac images.
Brooklyn Hospital Center is a 464-bed independent community hospital and is a clinical affiliate of Mount Sinai Hospital.
The hospital said once it learned about the incident it quickly took steps to restore its systems and ensure the security of the network. "We are reviewing our policies and procedures relating to data security and taking steps to enhance our existing security protocols," officials said.
Healthcare providers continue to be targeted by cybercriminals due to the high value of healthcare data. In the first nine months of 2019, at least 621 government entities, healthcare service providers, school districts, colleges and universities were affected by ransomware, according to a recent report from security firm Emsisoft.
So far in 2019, there were a total of 491 ransomware attacks on healthcare providers, Emsisoft reported. These incidents include Park DuValle Community Health Center, which was unable to access medical records for seven weeks; staff were forced to resort to using a pen and paper system. Park Duvalle eventually agreed to pay the $70,000 ransom.
Alabama-based DCH Health System also was hit with ransomware in October that disrupted operations at three hospitals. The organization eventually paid the hackers to get a decryption key to restore access to locked systems.
Wyoming health system Campbell County Health was crippled by a cyberattack in September that shut down computer systems for days and forced the 90-bed facility to transfer patients to other local hospitals. The ransomware affected all 1,500 of the organization’s computers.
Local media County 17 reported on Oct. 28 that the cyberattack remains under review by the FBI. No patient records or personal information were comprised during the attack, Campbell County Emergency Coordinator David King said, and, to his knowledge, the hospital did not pay a ransom to have the records unlocked, County 17 reported.