Kentucky Community Health Center Paid $70,000 to Ransomware Attackers

A ransomware attack on Park DuValle Community Health Center based in Louisville, KY on June 7, 2019, was made possible because hackers were able to access its network. They installed the ransomware resulting in the blocked access to the center’s appointment booking platform and healthcare record system.

The non-profit health center caters to the low-income patients residing in the western Louisville area. The center provides healthcare services to patients even without having insurance. Because of the breach, the health center staff had to record patient data using pen and paper for seven weeks. Doctors had to rely on the treatment and prescription records that the patient has. The center accepted patients on a walk-in basis because consultations cannot be booked on its systems and patient data cannot be retrieved.

The medical record system contains close to 20,000 records of patients who got treated at one of its medical facilities in Louisville, Russell, Newburg and Taylorsville.

This is not the first time this year that Park DuValle Community Health Center was attacked by ransomware. On April 2, 2019, ransomware disabled the center’s computer networks. The IT team was able to restore data using backups so no ransom was paid. Systems had to be created from scratch, which explains the three weeks that its systems were offline.

In the most recent attack, the health center decided to pay the ransom after conferring with third-party IT experts and the FBI. Park DuValle’s CEO Elizabeth Ann Hagan-Grigsby stated that it was not possible to rebuild the systems and recover data from backups.

To get the decryption keys, Park DuValle paid the ransom totaling roughly $70,000. It is supposed that the networks of Park DuValle will be fully operational by August 1, 2019.

Though the ransomware attack made the files and systems inaccessible, Hagan-Grigsby is confident that no data breach occurred. Park DuValle already reported the incident to the Department of Health and Human Services but there was no report of a data breach. No evidence was found that suggests access to the unencrypted patient information. There’s also no record in the firewall logs that data was exfiltrated from its systems.