[BreachExchange] Hackensack Meridian: We paid ransom to hackers to stop hospital cyber-attack

Destry Winant destry at riskbasedsecurity.com
Mon Dec 16 10:09:41 EST 2019


Hackensack Meridian Health paid an undisclosed amount in ransom to
stop a cyber-attack that has disrupted the hospital owner's computer
network since it began last week, the company said Friday.

The Edison-based company said it had insurance to help cover the costs
associated with cyber-attacks, including payment, remediation and
recovery efforts.

"We believe it's our obligation to protect our communities' access to
health care," it said in a statement.

The health care system has $6 billion in annual revenue, more than
35,000 employees and 17 hospitals, including Jersey Shore University
Medical Center in Neptune, Hackensack University Medical Center and
JFK Medical Center in Edison.

Locally, aside from Jersey Shore, it owns Riverview Medical Center in
Red Bank; Bayshore Medical Center in Holmdel; Ocean Medical Center in
Brick; and Southern Ocean Medical Center in Stafford.

The statement marked the first time the company confirmed it was the
target of a ransom attack, a crime that has entangled other hospitals,
businesses, municipalities and universities.

The attack on Hackensack Meridian began last week and brought down the
computer network for two days, leaving hospitals to reschedule
non-emergency surgeries and doctors and nurses scrambling to deliver
care without access to electronic records.

Cybersecurity: If your data is hacked, should you pay a ransom?

The impact wasn't confined to the hospitals — or employees. Suzanne
Penna, 48, of Pine Beach, said she had an appointment in Toms River
last Tuesday at 9:30 a.m. with a Hackensack Meridian doctor and didn't
finish until 12:30 p.m.

Without information readily available online, she had to fill her
doctor in on her medical history. She couldn't get her lab work done.
And she had to take hand-scrawled prescriptions to her pharmacy, she

Ransomware attacks aren't "just money for corporations," she said. "It
affects people's lives."

In ransomware attacks, hackers lure workers with links that look far
more legitimate than far-fetched phishing expeditions. If someone
clicks on the link, hackers deliver software that allows them to
encrypt data, making the computer network inaccessible.

Hackensack Meridian said Friday that it couldn't disclose the amount
of the payment because of confidentiality agreements.

It said its primary clinical system is operational, but it is still
working to bring other parts of the system back online.

The company said it discovered the incident quickly and immediately
notified the FBI, other law enforcement and regulatory authorities. It
also talked to cyber-security and forensic experts.

It added its investigation so far has found no indication that any
patient or employee information was subject to unauthorized access or

The company previously said only that its computers were down because
of "external technical issues." it said it couldn't disclose that it
was a ransomware attack because of developments in the investigation
and on advice of national experts.

This episode "makes it clear that even the best preparation may not
prevent a successful attack," the company said in its statement.

More information about the BreachExchange mailing list