[BreachExchange] Park DuValle Clinic Faces Blowback After Ransomware Attack

Tue Jul 30 10:12:57 EDT 2019

https://wfpl.org/park-duvalle-clinic-faces-blowback-after-ransomware-attack/

Carolyn Watkins is worried. There have been two recent ransomware
attacks on Park DuValle Community Health Center, where the 50-year-old
has gone for medical care since she was a baby. And despite assurances
from officials there that hackers didn’t gain access to about 20,000
patient medical records, Watkins doesn’t believe it.

“I’ve been coming here since I was little, so I’m very worried about
my information,” Watkins said. “All my kids have went here, and my
grandkids. It’s scary.”

On Thursday, WDRB first reported that Park DuValle paid hackers
$70,000 in bitcoin to release medical records and appointment
information being held hostage since the most recent attack in June.
Watkins found out about the security breach watching the nightly news.
She was bewildered: she had a medical appointment in May — a month
after the first ransomware attack. And she’d been back twice since
then to pick up prescriptions.

“They didn’t tell nobody nothing — like I said it was a surprise to
me,” Watkins said.

She was angry that the attacks happened, but also that her health care
provider didn’t tell her about them. Angry enough that she said she’ll
no longer go to Park DuValle to manage her high blood pressure and
gastroesophageal reflux disease.

“As far as Park DuValle, I’m changing my doctor today,” Watkins said.
“I’m going out here to Norton’s on Dixie Highway.”

Park DuValle Community Health Center CEO Ann Hagan-Grigsby said there
was no way for the clinic to reach out to patients since they’d lost
access to phone numbers and addresses. She said staff hadn’t told
patients about why their computer systems were down, only that they
were down. She said that was because she wasn’t sure how to tell
patients in a way that wouldn’t create a firestorm.

“I actually met with some other CEOs around the state and said, ‘How
do you do this in a way that does not create such a negative
impression with patients?’” Hagan-Grigsby said. “People are fearful —
they hear virus attacks and ransomware and hackers and their brains go
to, ‘we’re not safe there.’ And that’s not true.”

Hackers are increasingly targeting health care providers. Around the
same time of Park DuValle’s recent ransomware attack in early
June,five other health care organizations across the U.S. were going
through the same thing. Those health care entities told media outlets
that no patient information had gone to hackers, but instead hackers
locked up information and demanded money.

In some cases, medical providers are legally obligated to notify
patients and/or media outlets if their information is breached. But in
the case of Park DuValle, Hagan-Grigsby said the ransomware attack
didn’t qualify as a data breach.

“There was no data exported: you can see on your firewalls when things
come in and go out, nothing was going out,” Hagan-Grigsby said. “They
encrypted our files.”

She said in this case, her staff debated notifying the media much sooner.

“That’s a judgment call,” Hagan-Grigsby said. “We don’t have any way
to publicize other than if we had done a press release to the news
media to say this happened and what this will mean for patients. Maybe
that’s a good idea — maybe that should be best practice.”

More Attacks On Health Providers

Glenn Cohen, a professor and expert on bioethics and biotechnology at
Harvard, said he understands why a health provider might not want to
broadcast that they are facing a virtual attack — it exposes that
they’re vulnerable and they could be a target for another attack.

“But it does seem to me that they probably have an obligation at some
point along the way to tell patients, or why things are being delayed
if there’s some belief that it’s affecting patients,” he said.

Cohen said there are a couple reasons health providers are
increasingly under attack by hackers.

“The biggest reason is, I think, the pressure to pay — essentially
health care systems have vital health information, and if you can
block that up it can have disastrous effects on people’s lives and
health,” Cohen said.

In addition, health providers usually rely on insurance payments for
services. At Park DuValle, staff haven’t been able to bill for the
care they’ve been providing for months. Hagan-Grigsby said the clinic
will hopefully gain the ability to start billing insurers again next
week.

“Health care systems get paid by insurers, and so you can cripple them
financially,” Cohen said.

Watkins, who was picking up a prescription on Friday, pointed out the
impact for the clinic might be larger than just not getting paid by
insurers. She said Park DuValle’s waiting room was empty, and she’d
been able to park right in front of the clinic. Patients, she guessed,
weren’t coming either because they weren’t getting appointment
reminders, or because they’d heard the news.

“It’s empty in there now — it’s not never empty,” Watkins said.
“There’s nobody sitting out here to be registered, and I walked
straight in and straight out.”