MedStar Health, a major hospital chain which boasts 10 hospitals throughout the District of Columbia and Maryland, was forced to go offline due to a computer virus sent by unknown hackers, reports the Washington Post. The FBI said it was investigating whether the hackers demanded a ransom to remove the virus which affected thousands of doctors.
Hospital officials told The Washington Post that no information had been stolen. Medstar Health posted a statement in its Facebook page saying the virus prevented certain users from logging into the computer systems.
"Currently, all of our clinical facilities remain open and functioning," the statement said. "We have no evidence that information has been compromised."
Ann Nickels, a MedStar spokeswoman, said in a statement:
“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and cybersecurity partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning.”
She said she couldn’t say whether it was a ransomware attack, but according to officials patient care has not been affected and the hospitals have been using a paper backup system.
MedStar, a $5 billion operation, operates 10 hospitals including the MedStar Georgetown University Hospital, along with other facilities. It also operates more than 250 outpatient facilities in the Maryland and Washington, D.C., area. The organization trains and employs thousands of physicians, who handled more than 4 million outpatient visits in the last fiscal year. It has 30,000 staff and 6,000 affiliated physians
Monday’s hacking at MedStar came one month after Hollywood Presbyterian Medical Center, which is owned by CHA Medical Center of South Korea, paid hackers $17,000 (in bitcoins) to regain control of its computer system. Hackers used an email attachment to seize the hospital’s computer system with ransomware. The hospital disclosed the attack publicly, which took 10 days to restore full operations after it was first noticed on February 5.
Amid a growing number of ransomware attacks on healthcare industry, Rep. Ted Lieu (D-Calif.) says breach notification laws should be updated to reflect the new threat. Although, hospitals are critical infrastructures, there is no requirement to disclose hackings even if operations are disrupted unless patient data is impacted.