UCSF issued a statement noting that malware detected in early June led to the encryption of “a limited number of servers” in its medical school, making them temporarily inaccessible.
“We do not currently believe patient medical records were exposed,” the university said in the statement.
It added that because the encrypted data were necessary for “some of the academic work” conducted at UCSF, they agreed to pay a portion of the ransom demand – about $1.14 million. The hackers then provided a tool that unlocked the encrypted data.
“We continue to cooperate with law enforcement and we appreciate everyone’s understanding that we are limited in what we can share while we continue our investigation,” the statement reads. UCSF declined a request for further comment.
At Sky Lakes Medical Center, computer systems are still down after its ransomware attack, including use of electronic medical records, but the Oregon-based health care system is still seeing patients.
They are “being interviewed old school,” with the admitting process being conducted on paper, “but patient care goes on,” said Mr. Hottman.
In addition to a teaching hospital, Sky Lakes comprises specialty and primary care clinics, including a cancer treatment center. All remain open to patients at this time.
Diagnostic imaging is also continuing, but “getting the image to a place it can be read” has become more complicated, said Mr. Hottman.
“We have some work-arounds in process, and a plan is being assembled that we think will be in place as early as this weekend so that we can get those images read starting next week,” he said.
In addition, “scheduling is a little clunky,” he reported. However, “we have an awesome staff with a good attitude, so there’s still a whole lot we can do.”
He also noted that his institution has reconfirmed that, as of Nov. 4, no patient data had been compromised.
Targeting hospitals through cyberattacks isn’t new. In 2017, the WannaCry virus affected more than 200,000 computers in 150 countries, including the operating system of the U.K. National Health Service. The cyberattack locked clinicians out of NHS patient records and other digital tools for 3 days.
Dr. Appelbaum noted that, as hospital systems become more dependent on the Internet and on electronic communications, they become more vulnerable to data breaches.
“I think it’s clear that there have been concerted efforts lately to undertake attacks on health care IT systems to either hold them hostage, as in a ransomware attack, or to download files and use that information for profit,” he said.
Still, Dr. Vahia noted that contacting patients directly, which occurred in the Finland data breach and blackmail scheme, is something new. It is “especially chilling” that individual psychiatric patients were targeted.
It’s difficult to overstate how big a deal this is, and we should be treating it with the appropriate level of urgency,” he said in an interview.
“It shows how badly things can go wrong when security is compromised; and it should make us take a step back and survey the world of digital health to gain recognition of how much risk there might be that we haven’t really understood before,” Dr. Vahia said.