[BreachExchange] Spokane’s Columbia Surgical Specialists paid nearly $15,000 in a ransomware attack that compromised patient data

Destry Winant destry at riskbasedsecurity.com
Fri Mar 8 10:20:56 EST 2019


Columbia Surgical Specialists, which operates four medical offices in
Spokane and Spokane Valley, says it paid hackers nearly $15,000 to
decrypt patient information that was held hostage in a ransomware

In a two-page notice sent to patients Thursday, the company said it
learned about the hack on Jan. 9 and “took immediate action to
evaluate the extent and nature of the intrusion and to address the
source as soon as the vulnerability was discovered.”

The company said the compromised files may have included patients’
names, driver’s licenses, Social Security numbers and personal health

“We received notice from the people that encrypted the files just a
few hours before several patients were scheduled for surgeries, and
they made it clear we would not have access to patient information
until we paid a fee,” the company said.

The doctors who own Columbia Surgical Specialists paid $14,649.09.

“We quickly determined that the health and well-being of our patients
was the number one concern,” the company said, “and when we made the
payment they gave us the decryption key so we could immediately
proceed, unlocking the data.”

The company said its cybersecurity provider, Intrinium, analyzed its
systems and “believes that no data was acquired, disclosed or used” by
the hackers, though patient records were exposed during the attack.

Columbia Surgical Specialists said it initially believed records of up
to 400,000 patients may have been compromised, but “after further
investigation, the actual number of potentially affected patients is
substantially smaller.”

The company’s statement didn’t say precisely how many patients might
be at risk, nor did it say how the hackers made contact, how the
doctors transferred the ransom money or what security measures were in
place before the attack.

The company’s chief executive, Dr. Rod Emerson, did not immediately
respond to a message seeking comment Thursday afternoon.

The company has set up a toll-free line for patient inquiries about
the data breach. A message left with that number, (866) 219-2642, was
not immediately returned Thursday evening. One surgeon who works for
the company referred questions to Emerson.

The company said it waited to announce the breach until it fully
understood the situation.

“We worked diligently to make the proper notifications as soon as
possible without causing undue alarm with inaccurate information,” the
statement said.

The company said it’s working with law enforcement and “continuing to
review our internal protocols and procedures to prevent this from
happening again.”

It also reported the breach to the Washington state Attorney General’s
Office and the U.S. Department of Health and Human Services’ Office
for Civil Rights.

Among other operations, Columbia Surgical Specialists runs the Spokane
Ear, Nose & Throat Clinic at 217 W. Cataldo Ave.

More information about the BreachExchange mailing list