Park DuValle health center pays $70,000 ransom for patient records in cyberattack

LOUISVILLE, Ky. (WDRB) – Park DuValle Community Health Center, a nonprofit that runs medical clinics for low-income and uninsured patients in western Louisville and other areas, has paid hackers nearly $70,000 in hopes of unlocking the medical records of some 20,000 patients that have been held hostage for nearly two months.

Elizabeth Ann Hagan-Grigsby, Park DuValle’s CEO, said in an interview Thursday that the organization has not been able to access its records or appointment scheduling system since June 7 because of a “ransomware” attack – the second such attack on Park DuValle’s computer system since April.

For the last seven weeks, Park DuValle’s four clinics have been unable to make appointments and have had to rely on patients’ memories about previous treatments and medications. They’re writing it all down on paper and storing files in boxes.

“This is everything. This is medical records, contact information, insurance information, anything about a patient…everything is gone,” Hagan-Grigsby said.

The records involved are for past and present patients, she said.

She stressed, however, that the hackers did not obtain the patients’ information, even though they succeeded in walling off the records from Park DuValle’s own personnel.

“Nothing got exposed; nothing at all,” she said. “However, we can’t read what’s in here. It’s like having a piece of paper and it’s in a foreign language that you don’t understand.”

She said Park DuValle, which is partially funded by the federal government, has told the U.S. Department of Health & Human Services there was no data “breach,” and that the organization’s firewalls show there was no “outgoing data.”

Park DuValle suffered an earlier ransomware attack on April 2, losing access to its records for about three weeks, she said.

After the first attack, the organization rebuilt the records system using data that had been “backed up,” or stored elsewhere, and declined to pay the hackers.

But that option was not available when hackers struck again in June, Hagan-Grigsby said.

After consulting with the FBI and information technology specialists, Park DuValle decided to pay the ransom instead of rebuilding its medical records from scratch, she said.

A spokesman for the Louisville FBI office declined to comment.

The payments were made in installments, one made about two weeks ago and one on Monday or Tuesday, Hagan-Grigsby said.

The ransom was paid in the form of 6 bitcoin, the digital crypto-currency, she said. Park DuValle doesn’t know the hackers’ identity or where they are based.

Hagan-Grigsby said the payment in bitcoin amounted to nearly $70,000.

Hagan-Grigsby said Park DuValle is using encryption keys provided by the hackers to restore the data, and the organization hopes to have full access to the data by Aug. 1.

Roman Yampolskiy, director of the Cyber Security Laboratory at the University of Louisville, said Park DuValle’s claim that no patient information was exposed to the hackers is plausible, but he would not take it at face value.

“It’s possible if the hackers’ goal was not information but to extract a ransom, but I wouldn’t trust such safety claims from anyone who failed twice in three weeks at securing their data,” he said.

Yampolskiy added that ransomware attacks are “super common.”

Park DuValle, one of three federally qualified health centers in Louisville, provides primary care, dentistry, behavioral health, laboratory services and obstetrics-gynecology, among other services.

Besides its main clinic in the Park Duvalle neighborhood, it has locations in Russell, in Newburg and in Taylorsville.

Brianna Gilbreath, 28, who has been using Park DuValle as her primary care for two or three years, has wondered what’s been happening at the clinic since June.

On June 19, she said, she tried to get seen at Park DuValle but walked out because there were 10 to 15 people ahead of her in the clinic, which is seeing patients on a walk-in basis because appointments can’t be scheduled.

Gilbreath said she knew that Park DuValle’s computers were down and that the staff was unable to access records, but she didn’t know about the ransomware attack.

Now she worries her data is exposed, despite the assurances from Park DuValle.

“I really like my doctor there and I don’t want to leave her, but that is really scary,” she said.

Asked how Park DuValle can be sure no data was exposed, Hagan-Grigsby said in a sit-down interview Thursday: “I have had three different IT companies say there was no breach, nothing was exposed.”

When WDRB News later asked to speak directly with those companies, Hagan-Grigsby said she misspoke, and that it was only her internal IT personnel – not the third-party companies — who verified there was no breach.

“Several companies are involved in the recovery process, but would not be able to help with the patient data issue. Our own staff checked our firewalls to determine if there was any outgoing data. There was no(ne). I do not have any more proof I can give you,” she said in an email.

Hagan-Grigsby said the organization has been upfront with patients about not having access to their records and not being able to take appointments, though she acknowledged they hadn’t previously disclosed the ransomware attacks.

She said Park DuValle hasn’t been able to send patients in a mass letter or email about the situation – because as long as the data is held for ransomware, their contact information is not accessible.

All told, Park DuValle is “probably” out more than $1 million because of the ransomware attacks, Hagan-Grigsby said.

In addition to the ransom and a couple hundred thousand dollars in outside IT support, the organization hasn’t been able to send claims for reimbursement to insurance companies and other payers because of they can’t be generated, she said.

Hagan-Grigsby said Medicaid, the government program that covers about half the center’s patients, will pay claims that are six months to a year old, so Park DuValle will be billing for services rendered during the downtime once the records are available again.

Some commercial insurers have tighter deadlines, so services may go uncompensated, she said.

And because the clinics have been operating on a walk-in basis, instead of appointment-based, fewer patients have been seen, she said.

Park DuValle has an annual budget of about $15 million, she said.


Article by channel:

Read more articles tagged: Ransomware