HANCOCK COUNTY, Ind.– Officials with Hancock Health paid hackers a ransom to regain access of their computer systems.
Hancock Health says a ransomware attack occurred around 9:30 p.m. on Jan. 11. The hackers were able to access the system through a hospital server which was using the Remote Desktop Protocol (RDP) service. The hackers got into the server using a compromised administrative account setup by a vendor of the hospital.
They used a variant of ransomware called SamSam, which encrypts data files on the systems and uses a private key to unlock them.
Hospital officials contacted legal representation and involved the FBI’s cyber-crime task force for assistance. Leadership at the hospital decided to pay the ransom of four bitcoin demanded by the hackers to get the encryption keys.
Those four bitcoins were worth about $55,000, according to the Greenfield Daily Reporter.
“We were in a very precarious situation at the time of the attack. With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations,” said Hancock Health CEO Steve Long.
Hancock Health says according to forensic analysis, patient data was not transferred outside the hospital’s network. The FBI said criminals who typically use SamSam ransomware do so to obtain a ransom payment, not to collect and sell patient data.
The transaction was made Friday night and the keys were received.
“Before restoration, and to ensure containment, the team enhanced the security posture of hospital systems and the network. By Monday, January 15, 2018, critical systems were restored to normal production levels and the hospital was back online,” Hancock Health said in a release.
Officials said patient safety was never at risk.