[BreachExchange] IT services company hit with ransomware, cutting off nursing homes' access to patient medical records

[Destry Winant]

https://www.fiercehealthcare.com/tech/nursing-home-it-company-hit-ransomware-cutting-off-providers-access-to-patient-medical-records

A technology company that provides services to more than 100 nursing
homes and long-term post-acute care facilities was hit with a
ransomware attack that crippled its servers and cut off access to
patient medical records.

Hackers demanded a ransom of roughly $14 million in bitcoin.

The hack against Virtual Care Provider Inc. (VCPI) means some
locations cannot access patient records, use the internet, pay
employees or order medications. The Milwaukee-based company provides
internet access, cloud hosting and security services to primarily
senior living and long-term care facilities, including 110 nursing
home organizations with some 80,000 computers across 45 states.

In a company memo (PDF) sent to clients Nov. 18, obtained by the
Milwaukee Journal Sentinel, Virtual Care Provider executives said the
business was attacked with Ryuk encryption ransomware spread by
TrickBot virus. The company estimated 20% of its servers were affected
by the virus.

Company executives said their monitoring systems quickly discovered
the attack and spread of the malware and launched its incident
response and management process. The company then contacted its
cybersecurity insurance policy provider, Beazley, which connected VCPI
to a third-party cybersecurity incident response firm.

"We are prioritizing servers that provide active directory access,
email, eMAR, and EHR (electronic health record) applications," company
officials said in the memo.

Company executives did not respond to FierceHealthcare's emails and
phone calls requesting comment about the ransomware attack.

VCPI chief executive Karen Christianson told cybersecurity blogger
Brian Krebs the ransomware attack affected virtually all of the
company's core offerings, including Internet service and email, access
to patient records, client billing, and phone systems, and even VCPI’s
own payroll operations that serve nearly 150 company employees.

"Right now all we’re dealing with is getting electronic medical
records back up and life-threatening situations handled first,"
Christianson said. She told Krebs some affected facilities could be
forced out of business, and patients' health is at risk if the data is
not accessible, Christianson said.

Christianson said her firm cannot afford to pay the ransom amount
being demanded.

“We’ve got some facilities where the nurses can’t get the drugs
updated and the order put in so the drugs can arrive on time,” she
said. “In another case, we have this one small assisted living place
that is just a single unit that connects to billing. And if they don’t
get their billing into Medicaid by December 5, they close their doors.
Seniors that don’t have family to go to are then done. We have a lot
of [clients] right now who are like, ‘Just give me my data,’ but we
can’t.”

In a statement to the Milwaukee Journal Sentinel, Virtual Care
President Zachary Koch said the company has launched an internal
investigation and hired security experts. Virtual Care is working
diligently to restore the systems as quickly and safely as possible,
Koch said.

The impact on the 110 health care facilities the company supports
varies based on how much data each gave Virtual Care. Some facilities
use the company for tech support, while others rely on the firm to
host their websites, email systems, phone lines, and patient records,
the Milwaukee Journal Sentinel reported.

Over the last two years companies of all sizes have been targeted by
Ryuk and its variants, according to Eyal Aharoni, vice president of
customer success at cybersecurity company Cymulate.

A hospital in France, University Hospital Centre in Rouen, announced
it was hit by a ransomware attack that knocked its computer systems
offline, forcing staff to resort to pen and paper. The 1,300-bed
hospital revealed in a posting on Facebook on Nov. 19 that it was the
victim of an attack and admitted to "very long delays in care."

Alabama-based DCH Health System also was hit with Ryuk ransomware back
in October and paid the hackers for a decryption key to restore access
to locked systems.

"For a malware that’s been around this long, attacks reaching epidemic
levels and dominating media discourse, companies are falling short of
excuses," Aharoni told FierceHealthcare via email.

The probability of hackers using Ryuk variants to leverage lateral
movement capabilities is extremely high, Aharoni said, enabling them
to exploit vulnerabilities such as EternalBlue (a software
vulnerability in Windows) or BlueKeep (a vulnerability in Microsoft's
Remote Desktop Protocol implementation).

"Victims of these attacks are due to their IT/security teams not
updating systems with the latest patches or deploying their security
configurations correctly, both of which should be implemented and
strictly adhered to as part of security housekeeping and policy," he
said.