560 Healthcare Providers Fell Victim to Ransomware Attacks in 2020

January 19, 2021 - In the midst of responding to COVID-19, the healthcare sector faced a significant number of ransomware attacks in 2020 with 560 healthcare provider facilities falling victim to the malware variant, according to the latest Emsisoft State of Ransomware report.

The last quarter of 2019 saw an unprecedented number of ransomware incidents in the healthcare sector. And while the number of reported successful attacks petered off during the first half of 2020, those numbers drastically increased through a coordinated ransomware wave that began in September.

Overall, Emsisoft data shows at least 2,354 US government, healthcare, and schools were impacted by ransomware attacks in 2020.

The education sector saw the greatest number of successful attacks with 1,681 schools, colleges, and universities impacted by the threat. Federal, state, and municipal governments and agencies reported 113 successful attacks.

The second half of the year saw some of the greatest impact from ransomware, with a host of healthcare ransomware victims were driven into EHR downtime. These attacks also caused other life-threatening disruptions, including the diverson of ambulances, inaccessible lab tests, and the like.

READ MORE: FBI: Ragnar Locker Ransomware Attacks Increase With Data Theft Risk

Hackers continued to heavily target the healthcare sector throughout the year, with at least 80 separate incidents. For Emsisoft, the most significant incident was seen with the attack on Universal Health Services, which operates more than 400 hospitals and care facilities in the US.

All sites were impacted by the attack, which was first disclosed by employees who were concerned by what appeared to be IT issues at facilities across the country.

“The impact of the attacks was alarming: ambulances were rerouted, radiation treatments for cancer patients were delayed, medical records were rendered temporarily inaccessible and, in some cases, permanently lost, while hundreds of staff were furloughed as a result of the disruptions,” researchers wrote.

A prime example of ransomware fallout can be seen with the attack on the University of Vermont Health Network. The health system was forced to operate under EHR downtime procedures for more than a month, with its patient portal, EHR, and lab result inaccessible for most of its care sites during that time.

The main campus medical center was the hardest hit by the attack, including a lack of electronic communications across the network. Given the severity and extent of the attack, the Governor of Vermont deployed the Army National Guard’s Cyber Response to assist with recovery efforts. 

READ MORE: FBI Warns Egregor Ransomware Actors Actively Extorting Entities

Further, estimates show the attack cost UVM about $1.5 million a day in increased expenses and lost revenue. Those costs don’t include expenditures on recovering the system from the attack, according to local news outlet VT Digger. 

With at least 42 days since the launch of the attack, the total impact could reach a total of at least $63 million. The health system was also forced to push back its planned EHR implementation due to the attack.

The Emsisoft report highlighted the other severe fallout from ransomware: exfiltration and extortion effort. Coveware data found extortion attempts occur in half of all ransomware attacks. Part of the increase could be attributed to a rise in the number of hacking groups leveraging exfiltration.

At the start of 2020, Emsisoft noted that just the Maze hacking group leveraged this malicious tactic. But by the end of the year, at least 17 other cybercriminal groups adopted extortion and published a record amount of stolen data in online dark web forums.

In total, at least 58 public sector entities had data stolen ahead of a ransomware attack, with 56 occuring during the second half of the year. And more than 1,300 private sector companies, many US-based, lost data through exfiltration.

READ MORE: Biggest Healthcare Security Threats, Ransomware Trends into 2021

For healthcare, PHI and other sensitive data was stolen and published online in at least 12 incidents. All of the incidents occurred during the second half of 2020.

“This is simply the number of companies which had data published on leak sites and takes no account of the companies which paid to prevent publication,” researchers wrote. “We believe it is probable that some data was sold to companies’ competitors or passed to other governments.” 

“A number of threat actors are known to auction data or to invite offers from interested third parties, while others may contract to other governments or even be in their direct employ,” they added.

What’s more, 2021 is on pace to be another severe year for cyberattacks unless entities take significant action now. Public sector entities may face the greatest challenges, as they remain prime targets for hackers and are typically less secure.

Emsisoft also predicts that data theft will double in the coming year, as cybercriminals adopt proven strategies in their attacks. Providers and organizations from other sectors continue to pay ransom demands, which proves exfiltration is a successful business model.

For healthcare providers, it’s imperative to adopt a proactive approach to cybersecurity. Administrators and other security leaders should review previous insights from Microsoft, the Office for Civil Rights, the FBI, and CISA, among others, to tackle the ransomware threat before falling victim.

“We also anticipate that cybercriminals will put stolen data to more use, using it to attack the individuals to which it relates in order to put additional pressure on the organizations from which it was stolen,” researchers noted. “The ransomware problem will not be easy to solve… but solutions must nonetheless be found.”

“2021 need not be a repeat of 2020,” Emsisoft CTO Fabian Woser, said in a statement. “Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.”