University Medical Center in Lubbock. Staff photo.
University Medical Center (UMC) paid a ransom to get its computer data back after a security breach in September, LubbockLights.com has learned from multiple sources.
Insurance covered both the ransom and cost of recovery efforts except for a deductible.
UMC said in a public statement the private information was fully restored and one of our sources added, “To our knowledge, no information has been put up for sale on the Internet.”
The attack started on September 16 and was discovered on the 26th. A similar attack was reported at the Texas Tech University Health Sciences Centers (HSCs) in Lubbock and El Paso between September 17 and the 29th.
The HSCs tied the attacks together in an online public statement November 14, saying, “The IT outage affects many of the shared systems that the TTUHSC and Texas Tech Physicians clinics and UMC use in daily operations.”
Related story: Ransomware attack in Lubbock, El Paso affects more than 1.4 million people, federal agency reveals
A ransomware group identifying itself as Interlock claimed responsibility for the TTUHSC attack. Neither the HSCs nor UMC have confirmed or denied Interlock as the attacker.
Interlock claimed HSC data was available for download. The schools disclosed to the federal government they must inform more than 1.4 million people their information was breached.
UMC needed to disclose its breach to 500 or more.
What UMC reported
Within 60 days, healthcare facilities must report a breach of protected information to the U.S. Department of Health and Human Services Office for Civil Rights. LubbockLights.com acquired UMC’s report in an open records request.
“UMC Health System initiated an investigation, took steps to secure its systems, and notified law enforcement. Additionally, a third-party forensic firm was engaged to assist in the investigation,” UMC’s notification reported to HHS on November 22.
The notification said the attacker got:
- Names
- Addresses
- Dates of birth
- Social Security numbers
- Diagnoses
- Health insurance information
- Provider names and/or
- Dates of treatment
UMC’s report said it had privacy and security rules already in place at the time of the attack.
After the attack, UMC, “changed passwords, strengthened password requirements” and “implemented new technical safeguards,” according to the report.
The technical safeguards were not described in detail in the notice.
How these things often go
UMC has not disclosed the amount of the ransomware demand. The average ransom demand nationwide is $4 million according to a cyber security company called Sophos.
Sophos published a paper this year with information from 402 health care professionals. It found the average ransomware payment was $4.4 million. Half of the payments were more than $1.47 million and half of them were less.
In 22 percent of the attacks against healthcare, the information was both encrypted and stolen – not just encrypted for ransom.
More than half of the healthcare providers hit with ransomware paid to get their data back.
Recovery costs, which have doubled since 2021, are sometimes higher than the ransom payment – averaging $2.57 million, Sophos found.
One of our sources knowledgeable about the issue said, “I do think the cost of notification is sometimes greater than people appreciate.”
Those costs can include outside lawyers, an IT or ransomware consultant, a forensic investigation and the cost of printing and mailing notices. The cost also includes credit monitoring services for the people whose information was stolen.
Sometimes the cost of the ransom is lower than continued loss of business operations, Lubbock Lights.com learned.
A 2021 memo from the U.S. Treasury Department said ransomware payments are discouraged but only illegal if they violate a federal sanctions or embargo list.
Other high-profile breaches in the last five years
- Trustpoint Rehabilitation Hospital of Lubbock, hacking IT incident, 9,014 people affected, reported March 29 this year.
- Cogdell Memorial Hospital (Scurry County Hospital District), hacking IT incident, 86,981 people affected, reported February 24 this year.
- Lubbock Heart & Surgical Hospital, ransomware attack, 122,605 people affected, reported on Sept. 9, 2022.
- Texas Tech University Health Sciences Center, ransomware attack on business associate, 1,290,104 people affected, reported on June 7, 2022.
- Texas Tech University Health Sciences Center, ransomware attack on business associate, 36,739 people affected, reported on Dec. 9, 2020.
The downtime
The average recovery time has gone up in the last three years. According to Sophos, 22 percent of healthcare professionals in its survey said the recovery was either one day or less than a week. That’s less than half what it used to be.
UMC’s recovery time was a little less than two months with Mark Funderburk, CEO, sending a memo to employees on November 22 saying, “All clinical aspects of UMC Health System are now operational.”
No life-saving care stopped during the computer attack. Elective surgeries were put off and incoming emergencies were diverted to Covenant Health System, a source said.
“We reverted to downtime procedures. UMC was committed to protecting not only IT infrastructure and its employees, but also its patients and – despite this event – did everything that it could to ensure a positive outcome with restoration that involved countless hours from its employees to support the full restoration the system,” the source added.
Please click here to support Lubbock Lights.
Comment, react or share on our Facebook post.
Facebook