Records of about 85,000 people compromised in Grays Harbor hospital hack

Become cyber savvy...protect against phishing attacks

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in an electronic communication. Here's how you can protect yourself from a phishing attack.
Up Next
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in an electronic communication. Here's how you can protect yourself from a phishing attack.

About 85,000 people – virtually anyone who has had dealings in recent years with Grays Harbor Community Hospital or its subsidiary, Grays Harbor Medical Group, most of the doctors in the Aberdeen and Hoquiam area – will soon receive a letter saying their personal and medical information has been compromised by hackers.

Hospital officials told The Daily World they don’t believe the information has been accessed by the hackers or shared with others, but they can’t be sure and are making the notification as a matter of caution. About 10,000 letters will go to Harbor Medical Group patients and the rest to people who have had transactions with the hospital.

Credit monitoring will be made available for free and a toll-free call center is being set up to answer questions. The call center number is 833-762-0219. It’s open from 7:30 a.m. to 5 p.m. Pacific time, Monday through Friday.

The hacking incident has been an open secret in the community and discussed on social media, but it’s taken two months for the hospital to acknowledge it publicly and talk about the extent of the problem. And the problem is ongoing. Officials still don’t know what the extent of financial losses might be or whether all the information will be recovered.

This case is typical of an increasingly serious problem with government agencies and private businesses. The hackers introduce malware to a computer system and encrypt information so that even the organization can’t see it. They demand a ransom to turn over the key to getting past the encryption. Hospital CEO Tom Jensen said the hackers demanded the ransom in Bitcoin. As of Tuesday, the equivalent in dollars was probably more than $1 million, he said.

The problem was worse at the clinics. Ironically, Jensen said, the hospital’s older software meant the ransomware wouldn’t work on the hospital’s main system for managing patient information. But it was effective at the clinics, which are still hampered, Jensen said, meaning medical records, including prescriptions, are still not available and records are still being kept on paper.

Because the malware didn’t affect the older hospital records the same way, patients’ medical records at the hospital are still available, Jensen said.

Hospital officials say patient care wasn’t compromised at any time. Surgeries continued, the emergency department operated and patients saw their doctors. However, at the clinics, providers had to ask patients to bring certain information – such as lists of medications – with them to appointments. And some appointments were delayed.

The problem probably started when someone clicked on what’s known as a “phishing” email, Jensen said, maybe an authentic looking enticement for a free gift card, for instance. Part of the changes that will be made in the aftermath will include training for employees.

The attack started on June 15, a Saturday. Jensen said he’s been told that attacks like this often start on a weekend when IT staffs are thin. For the first two or three days it was treated as essentially an IT problem. The technical people started turning off servers Monday morning to contain it, but in those first days it had already been widely spread. The FBI was called early in the process, Jensen said.

A full forensic review is underway, but there are still many unanswered questions, he said.

Grays Harbor Hospital District 2, which operates the hospital and clinics, has cybersecurity insurance with a $1 million cap, Jensen said. He’s hoping that will cover the losses to the district, but since the situation is ongoing, it’s too early to tell.

One of the problems was that there were five days when they couldn’t process payments and with no money coming in it was a big problem for the already cash-strapped operation, Jensen said. That money isn’t lost, but the cash flow and timing was a problem.

Hospital officials have heard the second guessing about inadequate cybersecurity. “Hindsight is always easier. We’ll have a better understanding when the forensics report is done,” Jensen said. “It’s easy to say, ‘If you’d only done that.’ We get it.”

Jensen said every organization is vulnerable and setting up cybersecurity is a moving target. The state of Louisiana and the judicial system in Georgia were hit with the same malware, he said.

Jensen said there was anti-virus software and backups to the system, but even the backups were hit.

“Hospitals nationwide are under attack from these faceless criminals,” he said in a statement. “As with many other organizations, we thought we were well prepared, and we were still victimized.”

Jensen said the hospital was not able to be transparent about the attack because its insurers were managing the response and said comments to the media would make things worse. “We’d have been more transparent (in talking about the problem) if we’d have been allowed to,” he said.

The hospital will be briefing employees at forums this week, but they have essentially been kept in the dark until now.

The ransomware attack comes at a time when the hospital has started to show financial improvement. Just a year ago, it wasn’t clear whether the hospital would survive, partly because of its extremely high number of patients covered by government insurance, which has low reimbursement rates.

Management took steps to increase reimbursement rates, refinanced what had been a crippling debt that threatened foreclosure and, at the insistence of bank creditors, hired consultants that made significant operational changes, including the layoff of dozens of employees.

After years of losses the hospital is starting to operate in the black some months. But the fix to avoid future computer problems will mean additional costs, such as upgrades to security, software, hardware and more training.

It’s too early to say whether the still missing records will be permanently inaccessible, Jensen said. Even if the hackers provided the key, typically it only works for about 90 percent of the information, the FBI told hospital officials. Still, if the hospital does get the encryption key, the FBI wants it, Jensen said.