Kansas City's Truman Medical Centers was hit with a ransomware attack on Tuesday morning that locked the hospital out of parts of its computer system.
The attackers demanded money to unlock the data, and the safety net hospital agreed to pay a small amount, Truman said in a statement Wednesday.
“TMC worked with a third-party negotiator, its cyber insurance carrier and outside cyber counsel to pay a small amount of money, for which the medical center was insured,” the statement said.
The hospital said that patients’ personal health and financial information is kept on another system and was not affected by the attack.
“They weren’t looking for information. It looks like they were more looking for ransom,” said Leslie Carto, a spokeswoman for Truman.
Carto declined to say how much money Truman paid to free up its computer system.
Last month, a Kentucky health care provider, Park DuValle Community Health Center in Louisville, paid hackers $70,000 in bitcoin to unlock the medical records of about 20,000 patients after a ransomware attack locked up its system for nearly two months, according to news accounts there.
Municipalities also have been the targets of recent ransomware attacks, including Baltimore, Atlanta and Greenville, North Carolina. The Baltimore attackers demanded $76,000 in bitcoin ransom, which the city refused to pay; the city recently proposed using $10 million in excess revenues to pay for the costs of recovery, according to the Baltimore Sun.
The U.S. Department of Health and Human Services defines ransomware as a type of malicious software that “attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.”
Health care systems have been particularly ripe targets, accounting for more than a third of ransomware attacks, according to Beazley, an insurer that provides cyber coverage for hospitals and other clients.
“In the more sophisticated attacks, we have also seen ransom demands increase significantly, up to as high as $2.8 million,” Beazley wrote in a report assessing ransomware incidents last October. “In these instances, criminals have either targeted the victim organization or upon obtaining access discovered that they had more leverage and therefore increased the ransom demand. They’ve also done reconnaissance on the victim’s network and compromised back-ups before deploying the encrypting malware, which puts pressure on the organization to pay the ransom.”
A ransomware attack a year ago on Blue Springs Family Care in Blue Springs, Missouri, affected nearly 45,000 patients. The medical practice did not pay a ransom and was able to regain access to its system by using backups, according to a spokeswoman.
Dan Margolies is a senior reporter and editor at KCUR. You can reach him on Twitter @DanMargolies.