A ransomware attack on Spokane, Washington-based Columbia Surgical Specialists on Jan. 9 resulted in unauthorized access of medical records of almost 400,000 patients, the healthcare provider said in a press release. Although the FBI and security companies advise organizations not give in to hacker demands, the company paid almost $15,000 in ransom for a decryption key, arguing the health of their patients was more important, as surgeries were scheduled for that day.
“Yes, we paid $14,649.09. We received notice from the people that encrypted the files just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee,” the firm said. “We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data. (Again, we believe the information was locked, but not obtained, by the perpetrators). The payment came from the doctors who own Columbia, and will not be passed on to our patients.”
Columbia Surgical Specialists said it only reported the data breach on March 7 because of an ongoing investigation into their networks to determine how the security incident happened. While the company claims no data was stolen was compromised, they thought best to warn clients that personal data such as name, drivers’ license, Social Security number and other health information may have slipped out. There’s no evidence that data was misused by third-parties, it claims, and when the forensic investigation was finalized the number of patients who may have been affected dropped significantly.
The incident was reported to the US Department of Health and Human Service’s Office for Civil Rights, local news and the Washington State Office of the Attorney General, as per legal requirements.