An article by William Maruca of FoxRothschild is headlined, “Ransomware Claims A Victim.” It discusses the case of Brookside ENT, whose doctors decided to shutter their practice and retire a year early after a ransomware attack that encrypted their patient data, billing information, scheduling information, and even their backups. In other words, the attacker successfully crippled the practice and any chance it stood of restoring from the backups it had. Under the circumstances, I’m a bit surprised that the attacker only demanded $6,500.00.
In any event after reading more about the incident and mulling it over for the past two weeks, I’m going to politely disagree with the assessment that ransomware claimed a victim, because although ransomware was involved, the doctors., Dr. William Scalf and Dr. John Bizon, made a decision to sacrifice any chance of recovering files their patients needed for what? To save maybe $6500? Maruca writes:
Facing the expense and uncertainty of recovering from this attack, the two physicians, Dr. William Scalf, 64, and Dr. John Bizon, 66 (who also serves as a Republican Michigan state senator), decided to close their practice and accelerate their planned retirement by a year. Unfortunately, with all their records wiped clean, they did not even have a list of patients and their contact information to allow them to communicate the closure of the practice. Instead, Dr. Scalf said, “… what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.” Patients were given referrals to other otolaryngologists in the area, but their records, including test results, remained unavailable.
In explaining their decision not to pay the ransom, Maruca’s article cites a statistic from a cybersecurity firm that only 1/3 of victims who pay ransom get the decryption key. That percentage is significantly less than what the BakerHostetler law firm reports. They report that in their experience handling hundreds of cases last year, the decryption key was provided in 94% of cases when ransom was paid. And these were not all small ransoms. The firm notes that already in 2019, they have had a few clients make ransom payments of more than $1 million — although they inform me that none of these are healthcare entities.
As other reports note, the likelihood of being able to recover data, even with a decryption key, is in no small part a function of what type of ransomware was involved. In the Brookside case, we haven’t been told that piece of information, but the doctors do not mention that as one of the factors that led to their decision not to pay the ransom.
Suppose the doctors had paid the decryption ransom of $6500.00 and gotten access to their data. They could have still decided to close the practice and retire early rather than rebuild their entire infrastructure and network, but at least they would have been able to contact patients and offer patients the ability to obtain copies of their medical records.
And if the doctors paid the ransom and got stiffed, then at least they could say they tried their best.
Over the past few years, I’ve often stated publicly that even though none of us want to reward criminals or encourage more ransom demands, I would never condemn a healthcare entity who decided to pay ransom because patient care or patient safety was being compromised. I never anticipated that the day might come when I might actually criticize a healthcare entity for not paying a ransom demand, but this situation comes close.
So did the doctors make a decision in their own best interest that was also in the patients’ best interests at this point, or did they just do what was easiest for them, even though other options might have been better for the patients?
Yes, we can talk about how this all might have been prevented in a perfect world where the doctors had a copy of their updated patient roster with contact info printed out daily or where they had a different backup system that could not be corrupted by the ransomware, but that ship already sailed. Let’s just look at the decisions that had to be made at that point. Did the doctors do the right thing? What do YOU think? Either way, I want to be clear that I still do feel badly for the doctors, but right now, I’m just focused on the patients and whether this decision was appropriate given that it left patients definitely without access to their medical records.