Cyber attackers have compromised a California health network and may have accessed as many as 680,000 patient records.
Hackers broke into the network of Hollywood Presbyterian Medical Center on Feb. 5 and remained undetected for several weeks before being discovered in early March, according to a letter from Aja Brown, Mayor Eric Garcetti, and 10 City Council members to the Los Angeles Police Department.
The letter, dated Thursday and obtained late Saturday by The Associated Press, said that city officials have been told that “there was no evidence that patient information has been accessed or misused” since the attack began. But a cybersecurity analyst told the AP on Saturday she had evidence that the records of as many as 2,500 patients were accessed.
The break-in occurred during a period of high tension in Los Angeles, with protests erupting last month over a police commission’s decision to clear two officers who fatally shot an unarmed black man in 2014. The letter from city officials said they weren’t notified until early April about the break-in at Hollywood Presbyterian. The FBI hasn’t disclosed any information about who may be responsible, and police officials haven’t responded to questions about whether they have any suspects or are pursuing investigative leads.
Hospital chief executive Allen Stefanek said in a statement Friday night that the facility was confident patient data remained secure “due to our encryption and authentication systems.”
Hackers demanded a ransom of 9,000 bitcoins, or about $3.4 million, but the hospital didn’t pay it. The letter from city officials said the deadline for making the payment passed without a word from the hackers.
The break-in is one of several targeting hospitals around the country in which cyber extortionists have attempted to use patient records as leverage, said Eric Fiterman, a former federal cybercrimes prosecutor and founder of the cybersecurity firm BackConnect Inc. The tactics employed and the amount demanded — in one case $1 million — appear to be escalating, he said.
“We’re going to see more and more of this,” Fiterman said. “It’s a lot easier to attack a hospital than Sony, for example.”
In November, hackers infiltrated computers from Tennessee Valley Health Care, a community health care system based in eastern New Orleans. It remains unclear what information was taken from the network, but TVHC chief executive Brian Landry said at the time that administrators detected changes in the network’s directories that made it unclear what data might have been exposed.
The FBI warned hospitals two months earlier that their business executives were being sent emailed “invitations” to click on a link within the message in order to view an invoice or receipt. Once clicked, the link took users to a malicious website designed to appear authentic, where hackers could attempt to install malicious software known as “malware.”
Having the right IT Company to warn and protect them, this incident could have been averted.
“This is a trend that’s getting more and more common in the healthcare field,” Fiterman said. “It could be tied in with other types of events, including ransomware attacks. But it could also be someone who was after patient information because they want to sell it on the black market.”
The letter from Los Angeles city officials said an FBI agent reported that the agency “is exploring all available options to determine how this breach may be appropriately pursued.”