A recent report headlining that 560 healthcare facilities were impacted by ransomware attacks in 2020 may have seemed shocking until you realize any one ransomware attack can impact multiple hospitals or clinics in a network (just think of the Universal Health Services incident where the Pennsylvania-based system took 400 facilities offline when they were attacked). In their article, Emisoft had reported that there were 80 ransomware incidents that had impacted at least 560 facilities.
There’s another example in the news this week: a third-party mailing service, Metro Presort, was hit with Ryuk ransomware in May, 2019. Metro refused to pay the ransom demand. At the time of the attack, they were currently servicing 21 healthcare entities, providing mailings, invoices, and other services. So some people had their name, address, and health identification compromised.
One of the impacted clients was Salem Clinic, who had 20,928 patients impacted. Another entity was Oregon Heart Center, who had 3,172 people impacted.
We did not hear about that report in 2019, though. Nor in 2020, it seems. It was just in the news this week with a statement that in December, OCR had ruled that no violation of HIPAA had occurred, and that it was closing its investigation. But were these reports ever on HHS’s public breach tool? When was HHS actually notified? When were patients notified?
You can read Virginia Barreda’s report on Salem Statesman Journal.