Families of organ, eye and tissue donors are receiving letters this week from the Midwest Transplant Network informing them of a data breach affecting more than 17,000 individuals.
The breach, a malicious ransomware attack, occurred in February and locked Midwest Transplant Network out of its files for a brief period before it was able to regain access.
According to the letter, which was sent out on Friday, the ransomware attackers were able to obtain some personal health information about deceased donors and organ recipients, including names, dates of birth and types of organ donation or transplantation procedures.
“As soon as we learned about the data security incident on Feb. 11, we began working with a team of security experts to quickly halt the unauthorized access,” said Michala Stoker, a spokeswoman for Midwest Transplant Network. “We also notified the FBI and we continue to communicate and work with them regularly.”
Stoker was unable to say whether Midwest Transplant Network paid a ransom in order to regain access to its files.
“That’s technical information that I’m unable to answer,” she said.
The U.S. Department of Health and Human Services defines ransomware as a type of malicious software that “attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.”
Health care organizations have been particularly ripe targets for ransomware attacks, according to Beazley, an insurer that provides cyber coverage for hospitals and other clients.
Truman Medical Centers in Kansas City got hit with a ransomware attack about two years ago, locking the hospital network out of parts of its computer system.
Truman said it agreed to pay the attackers “a small amount” to regain access to unlock the data.
And a ransomware attack about three years ago targeted Blue Springs Family Care in Blue Springs, Mo., affecting nearly 45,000 patients. The medical practice did not pay a ransom and was able to regain access to its system by using backups, according to a spokeswoman for the practice.
Stoker said Midwest Transplant Network had no reason to believe the cyberattackers sold or otherwise distributed the data they obtained. But the network has, “out of an abundance of caution,” contracted with cybersecurity firm Kroll to address inquiries about the incident.
Stoker said that following the attack, “We were able to continue to do our life-saving work.”
She said the letter informing families of the attack only went out last week because “we wanted to make sure we got a correct list of those individuals who had been impacted.”
“It wasn’t something that just happened overnight,” Stoker said. “We needed to continue to work with authorities, and we also wanted to make sure that all of our information was safe and secure, so that was a priority.”
Midwest Transplant Network is based in the Kansas City suburb of Westwood, Kansas. Established in 1973, it provides laboratory, organ procurement and tissue recovery services.
In 2019, it was responsible for transplanting 929 organs from a total of 282 organ donors, according to its 2019 annual report, the last one available. It also oversaw eye and tissue donations from a total of 1,896 donors.