When Was the First Known Ransomware Threat?
The first known ransomware attack occurred in 1989 with the AIDS Trojan. Cyber Criminals mailed floppy disks containing malware disguised as educational material to employees of the World Health Organization (WHO). Disks were received in 90 countries; many employees were AIDS researchers and medical professionals. Once inserted into their computers, after 90 system reboots, the malware encrypted their filenames and demanded that the employee mail $189 to a PO Box in Panama. Many employees panicked and deleted possibly years of AIDS research hoping it would reverse the malware which not only caused workflow interruptions but also delayed important research. This happened decades ago, but today's cyber criminals still use similar tactics such as psychological fear and lack of data security training to compromise our most sensitive data.This attack helped set the stage for cybersecurity conversations, highlighting the importance of technical safeguards, policies, and employee training.
Have we learned our lessons from the past or do we continue to make the same mistakes?
What We Have Learned From Past Ransomware Threats and Attacks
Guam Memorial Hospital Authority (GMHA), a Public Hospital, recently settled a cybersecurity investigation with OCR after two incidents, one being a ransomware attack in 2019 that affected the ePHI of approximately 5,000 individuals. OCR determined that hackers were able to access the protected health information in part because GMHA had failed to conduct the necessary risk analysis to determine the potential risks and vulnerabilities of their organization's information systems. GMHA paid the OCR $25,000 and agreed to implement a corrective action plan for three years as part of the settlement. Part of the action plan includes conducting accurate and thorough risk analysis, developing a more robust HIPAA training program, and reviewing access logs to ensure that credentials have not been compromised.
More recently, in 2024, one of the largest per capita class action lawsuit settlements in healthcare data breach history occurred after the criminal enterprise Black Cat stole and ransomed the PHI of almost 135,000 patients. Black Cat attacked Lehigh Valley Health Network (LVHN) by targeting a single physician practice within their network which then allowed them access to a larger amount of data. LVHN refused the $5 million ransom, as advised by the FBI, and Black Cat retaliated by posting nude medical photos of at least 600 patients on the dark web. Members of the class action lawsuit accused LVHN of prioritizing profit over protecting their health data and many must live with the fact that their compromised photos are still out there. The class action settlement is set to pay out $65 million to those affected. Crime organizations, such as Black Cat, often exploit vulnerabilities through phishing tactics, compromised credentials, and insecure data storage. The actual strategy used in this attack was not directly stated but the investigation mentioned that two of the servers that were hacked were obsolete and very likely did not have updated security controls. The use of psychological warfare and the exploitation of legacy systems will continue to plague healthcare systems.
According to a Microsoft Threat Intelligence report, in 2024 alone, nearly 400 U.S. healthcare organizations were hit by ransomware. The attacks happened to small and large organizations with almost 82% of the attacks targeting organizations with fewer than 500 employees.
What must we learn from the past to protect our present businesses to ensure that they have a future?
Today's Ransomware Attack Concerns
The OCR Acting Director Anthony Archeval recently stated, after a hacked email account led to the breach of nearly 200,000 individual's health information, "HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients' protected health information."
Here are the actionable steps your organization can take now to lower your risk of a ransomware incident:
- Conduct regular security risk assessments to identify and mitigate vulnerabilities.
- Require multi-factor authentication for credentials that access PHI.
- Prioritize HIPAA and Cybersecurity Employee Training.
- Ensure your policies and procedures include data backup protocols.
- Encrypt all data in transit and at rest that contains PHI.
- Regularly audit access logs for suspicious activity.
- Develop an Incident Response Plan.
The Rising Threat of Ransomware Attacks
The rising threat of ransomware attacks is only going to grow. As new technologies arrive at a rapid rate, oftentimes we fall behind in safeguarding our businesses. It is essential that we learn from the past and ensure that complacency, underfunding, or human error do not compromise the integrity of healthcare organizations or the safety of the patients who rely on us to protect their information.
Integrating technical safeguards, employee training, and proactive risk strategies enables healthcare organizations to substantially mitigate ransomware risks while upholding HIPAA compliance. Don't wait until you're under attack and the damage has been done to implement these necessary tools.