On October 1, 2019, DCH Health Systems suffered a ransomware infection at three hospitals that forced them to turn away non-critical patients. The attack continued to impact hospital operations for 10 days. By January 2020, it was reported that a class-action lawsuit had been filed against the organization claiming that DHC did not have the proper security system in place to prevent data breaches and cyber-attacks.
Blocking ransomware is your responsibility:
Ransomware attacks disrupt access to critical files by encrypting them until a sum of money is paid. Roughly 80% of these attacks get in through email, more in healthcare. Depending on the nature of the ransomware programming, it can shut down clinics, departments, facilities and regional systems.
It’s not just the delays in care during an attack that cause problems for patients. Research shows that the way a hospital recovers from an attack can greatly affect the care of critical heart patients.
During the course of the DHC ransomware attack, the facilities had to turn away patients and ambulances for several days. No new patients were admitted. Critical patients were stabilized before being sent elsewhere. Patients “had their medical care and treatment, as well as their daily lives, disrupted”. Care was delayed as they were forced to seek alternative care elsewhere.
DHC stated that no medical records were impacted by the attack and were able to assist with critical patients. Upon discovering the breach, they worked with appropriate authorities to protect patients and recover while posting notices and updates. However, the suit claims that DHC breached its obligations to patients by “failing to properly maintain and safeguard its computer systems and data.”
Healthcare privacy regulations, such as HIPAA or the HIA, hold clinics accountable for taking necessary steps to prevent privacy breaches. If a breach is reported in your clinic and the investigation shows proper precautions weren’t taken, liability falls to those in charge.
The public is holding insecure organizations accountable
DCH is not the first healthcare organization to be sued after failing to prevent a privacy breach.
Another case was filed in September, 2019 after Campbell County Memorial Hospital was hit with a cyber attack that caused the shut down of its computers, affecting the main hospital and numerous clinics. A cyber attack on Solara Medical Supplies that lasted months drew a suit citing a lack of adequate security measures. After Kalispell Regional Healthcare suffered a phishing attack in which it was determined that the attackers potentially accessed patient records, a class-action lawsuit was filed against them as well.
The number of claims that are brought to court regarding clinics/healthcare organizations failing to protect patient information is now starting to grow. It is critical that you train staff appropriately and implement the correct safeguards to protect the patient information in your care from any potential attacks or intrusions by cyber criminals.