Hazel Hawkins Memorial Hospital (HHMH) recently thought it was the victim of a ransomware demand, but it turns out the incident was actually an elaborate social engineering hoax.
Earlier this month, the hospital received correspondence implying that an outside organization had gained access to HHMH Information Systems over the past several weeks and demanded a ransom payment to keep the data unpublished.
Staff immediately contacted authorities and worked closely with local, state and federal law enforcement agencies, along with hospital Cyber Security partners, to assess the validity of the threat, according to HHMH.
The district confirmed that the mailed ransom notes were a social engineering hoax, with no evidence linking them to actual ransomware attacks. It was also verified that there were no IT compromises that occurred over that time.
WHAT'S THE IMPACT?
HHMH isn't the only entity targeted with fake ransomware demands. The American Hospital Association and the FBI have also received data extortion letters by mail, the AHA said earlier this month.
The letters mostly purport to be from the Russian ransomware group known as BianLian. They also contain a U.S.-based return address of "BianLian Group" originating from Boston, the FBI said.
The threat actors claim to have a large amount of sensitive patient health information and other personally identifiable information, and they threaten to publish the data unless a ransom is paid. But they offer no proof, only a ransom demand and payment method.
"It is highly unusual and highly unlikely that a real foreign ransomware group would send hard copy letters through the USPS," John Riggi, AHA national advisor for cybersecurity and risk, said by statement. "I have personally reviewed the letters and discussed the situation with some of the victim organizations and the FBI. The consensus reached was that these extortion attempts were most likely hoaxes. If a healthcare organization receives such a letter, it is recommended that they contact their local FBI office and have a report filed with the agency. It is also recommended that the letter and accompanying envelope be handled minimally and preserved in a larger paper envelope for possible fingerprint and forensic examination by law enforcement. Further information on this issue is forthcoming by FBI."
THE LARGER TREND
As of October, 389 healthcare institutions in the U.S. were attacked with ransomware in 2024, which caused network shutdowns, offline systems, rescheduled appointments and delays in critical procedures, a Microsoft report found.
The report, which aggregated information from other reports and datasets, cited a Comparitech analysis showing that the attacks are costly – healthcare organizations lose up to $900,000 per day on downtime alone, the data showed.
According to a recent U.S. government interagency report cited by Microsoft, ransomware attacks have surged by 300% since 2015, largely because ransomware-as-a-service (RaaS) has lowered the barrier to entry for hackers who lack technical expertise, with other ransomware groups finding safe harbor in Russia.
Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million, and the average payment was $4.4 million, according to the HIPAA Journal.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.