Records of 85,000 involved in hospital hack

About 85,000 people, virtually anyone who has had dealings in recent years with Grays Harbor Community Hospital or its subsidiary, Grays Harbor Medical Group, which includes eight clinics and most of the doctors in the Aberdeen and Hoquiam area, will soon be receiving a letter saying their personal and medical information has been compromised by hackers.

Hospital officials told The Daily World they don’t believe the information has been accessed by the hackers or shared with others, but they can’t be sure and are making the notification as a matter of caution. The letters are being mailed Wednesday and Thursday. About 10,000 will go to Harbor Medical Group patients and the rest to people who have had transactions with the hospital.

Credit monitoring will be made available for free and a toll-free call center is being set up to answer questions.

The call center number is 833-762-0219. It’s open from 7:30 a.m. to 5 p.m. Pacific time, Monday through Friday.

The hacking incident has been an open secret in the community and discussed on social media, but it’s taken two months for the hospital to acknowledge it publicly and talk about the extent of the problem. And the problem is ongoing. Officials still don’t know what the extent of financial losses might be or whether all the information will be recovered.

This case is typical of an increasingly serious problem with government agencies and private businesses. The hackers introduce malware to a computer system and encrypt information so that even the organization can’t see it. They demand a ransom to turn over the key to getting past the encryption. Hospital CEO Tom Jensen said the hackers demanded the ransom in Bitcoin. As of Tuesday, the equivalent in dollars was probably more than $1 million, he said.

The problem was worse at the clinics. Ironically, Jensen said, the hospital’s older software meant the ransomeware wouldn’t work on the hospital’s main system for managing patient information. But it was effective at the clinics, which are still hampered, Jensen said, meaning medical records, including prescriptions, are still not available and records are still being kept on paper.

Because the malware didn’t affect the older hospital records the same way, patients’ medical records at the hospital are still available, Jensen said.

Hospital officials say patient care wasn’t compromised at any time. Surgeries continued, the emergency department operated and patients saw their doctors. The inconvenience was worse at the clinics, where providers had to ask patients to bring certain information — such as lists of medications — with them to appointments. And some appointments were delayed.

The problem probably started when someone clicked on what’s known as a “phishing” email, Jensen said, maybe an authentic looking enticement for a free gift card, for instance. Part of the changes that will be made in the aftermath will include training for employees

The attack started on June 15, a Saturday. Jensen said he’s been told that attacks like this often start on a weekend when IT staffs are thin. For the first two or three days it was treated as essentially an IT problem. The technical people started turning off servers Monday morning to contain it, but in those first days it had already been widely spread. The FBI was called early in the process, Jensen said.

A full forensic review is underway, but there are still many unanswered questions at this point, he said.

Grays Harbor Hospital District 2, which operates the hospital and clinics, has cybersecurity insurance with a $1 million cap, Jensen said. He’s hoping that will cover the losses to the district, but since the situation is ongoing, it’s too early to tell.

One of the problems was that there were five days when they couldn’t process payments and with no money coming in it was a big problem for the already cash-strapped operation, Jensen said. That money isn’t lost, but the cash flow and timing was a problem.

Hospital officials have heard the second guessing about inadequate cybersecurity. “Hindsight is always easier. We’ll have a better understanding when the forensics report is done,” Jensen said. “It’s easy to say, ‘If you’d only done that.’ We get it.”

Jensen said every organization is vulnerable and setting up cybersecurity is a moving target. “You don’t know what you don’t know.” The state of Louisiana and the judicial system in Georgia were hit with the same malware, he said.

Jensen said there was anti-virus software and backups to the system, but even the backups were hit.

“Hospitals nationwide are under attack from these faceless criminals,” he said in a statement. “As with many other organizations, we thought we were well prepared, and we were still victimized. We are proud of the efforts of our providers and staff continuing the same level of excellent patient care during this setback. We are grateful for the help we have received and the words of encouragement from those who have experienced this type of crime.”

Jensen was asked what criticism has been hardest to respond to. “We’d have been more transparent (in talking about the problem) if we’d have been allowed to,” he said.

The insurers were managing the response and said it would make things worse to talk to the press, he said.

In addition to the letters and the call center line, the hospital will be briefing employees at forums this week, but they have essentially been kept in the dark until now.

The ransomware attack comes at a time when the hospital has started to show financial improvement. Just a year ago, it wasn’t clear whether the hospital would survive, one of its problems being an extremely high number of patients who don’t have private insurance, which generally pays at a higher rate than government insurance.

Management took steps to increase reimbursement rates, refinanced what had been a crippling debt that essentially threatened foreclosure and, at the insistence of bank creditors, hired consultants that made significant operational changes, including the layoff of dozens of employees.

After years of losses the hospital is starting to operate in the black some months. Jensen said he’s still dealing with the attack and hasn’t had time to reflect on the timing of it, but the attack definitely has been “disheartening.”

The fix to avoid problems in the future will mean additional cost, too. Jensen said it will mean upgrades to security, software, hardware and more training.

The forensic review will examine the district’s operating procedures. In some cases, Jensen said, when networks weren’t able to communicate, the setup may have been changed internally to make it easier, but that could have made the organization more vulnerable.

It’s too early to say whether the still missing records will be permanently inaccessible, Jensen said. Even if the hackers provided the key, typically it only works for about 90 percent of the information, the FBI told hospital officials. Still, if the hospital does get the encryption key, the FBI wants it, Jensen said.