Pressured by pending procedures, surgical practice pays ransom

Crippled by a ransomware attack, Columbia Surgical Specialists paid nearly $15,000 in January to regain data after hackers maliciously encrypted records.

The practice, which is based in Spokane, Wash., and operates five sites with 12 physicians, has notified patients and the HHS Office for Civil Rights that it felt compelled to pay $14,649.09 to regain control of its patient data after the attack.

Initially, the organization informed HHS that information covering as many as 400,000 patients was encrypted. However, after further investigation, Columbia Surgical said the actual number of potentially affected patients is substantially smaller, although HHS still has the 400,000 figure on its data breach web site.

Refusal to pay a ransom was not an option, the practice told patients and regulators, as the hackers encrypted the files just a few hours before several patients were scheduled for surgeries, “and they made it clear we would not have access to patient information until we paid a fee.”

Columbia Surgical Specialist-CROP.png

“We quickly determined that the health and well-being of our patients was the No. 1 concern, and when we made the payment, they gave us the decryption key so we could immediately proceed unlocking the data,” the practice further explained. “We believe the information was locked but not obtained by the perpetrators. The payment came from the doctors who own Columbia and will not be passed on to our patients.”

Columbia Surgical Specialists also noted there is no evidence that patient information has been misused, and the company believes no data was acquired, disclosed or used.

“Instead, as is the nature of ransomware, it is the Company’s belief, based on available information, that certain files were simply corrupted with unauthorized encryption measures to prevent the Company’s temporary use or access of that data.”

Also See: 10 worrisome ransomware predictions for 2019

The practice also apologized to patients, which has become common after HHS suggested to the industry that apologizing would be a step the department would like to see.

“We value a strong relationship with our patients. We know the foundation of that relationship is built on trust, and that we need to roll up our sleeves and work daily to regain that trust. You have our word that we will.”

For reprint and licensing requests for this article, click here.